---
date: 2024-10-14T06:24:41+00:00
modified: 2024-10-14T06:24:41+00:00
permalink: https://kaspars.net/note/mastodon-social-113305051591734091
post_type: note
author:
  name: Kaspars
  avatar: https://reverse.kaspars.net/gravatar/avatar/92bfcd3a8c3a21a033a6484d32c25a40b113ec6891f674336081513d5c98ef76?s=96&d=mm&r=g
---

# On October 14, 2024 at 09:24

The ACF vulnerability that is "fixed" by the Secure Custom Fields plugin is not an actual vulnerability. The updated code path gets executed only if:

1\. You're using ACF to define custom post types or taxonomies,  
2\. AND an administrator-level user has specified a custom metabox callback function that (a) already exist in your codebase and (b) is somehow malicious.