Hi there,
We just got the following message from WordPress.com over the weekend,
Has anyone else had this issue?
“A recent security scan identified and immediately fixed an issue on your site: https://______.com.au
WordPress.com found that the advanced-custom-fields-pro plugin contains a vulnerability. In order to protect your site and your visitors, the security system automatically removed the entire extension. Since this may have altered the appearance of your site, we recommend you review your site for changes.
Our Happiness Engineers are standing by if you have any questions or concerns. Simply reply to this email to get in touch with us!
Reference _________
– The WordPress.com Team”
Don’t know where the email came from but is is suspect and I would assume phishing.
I can confirm this behaviour I just a had a chat with a support tech who said this:
So the threat was detected on 2021-04-05 and the plugin version was 5.8.13 it seems. It was removed since it had a vulnerability.
They removed the plugin completely without any notification, so it broke my website
Ah, I see now that I look again. wordpress.com.
I am not familiar with what the vulnerably was in that version but I cannot find any information about it. Elliot might know.
Confirmed I have the same issue. WP.com team went ahead and removed the entire plugin completely breaking my website.
I’m sooo annoyed by what the did without any warning…
Hi, ya’ll!
I’m sorry to hear of the issues reported here and the impact this has had.
As for the reported removals, please update to the latest version of ACF Pro to prevent this. WordPress.com has built-in security scanning which alerts our team for installations of ACF Pro below 5.9.1.
This is due to the vulnerability that was reported: https://wpscan.com/vulnerability/d1e9c995-37bd-4952-b88e-945e02e3c83f
Also, please feel free to contact WordPress.com support for more on this.
Best,
Joshua
