ACF does use add_query_arg(), but neither of the two places this is used depends on user input. The vulnerability reported by Sucuri was has to do with using user input without escaping it when using this function.
Viewing 2 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic.
Welcome to the Advanced Custom Fields community forum.
Browse through ideas, snippets of code, questions and answers between fellow ACF users