6.8.9

Security

• Hardened the escaping of wp_options LIKE queries used when loading option-page meta and during taxonomy term cleanup, switching to esc_like() so option-name prefixes are always matched as literals rather than as patterns.

Fixes

• The URL, text, textarea, and select-style fields no longer raise PHP errors when a non-scalar value (such as an array) is submitted; such input is now treated as invalid.

SCF 6.8.8

Security

• AJAX field handlers now validate that the request nonce was created for the expected field type, so a nonce minted for one field type can no longer be replayed against another field type's AJAX handler. The gallery field was also aligned with the typed nonce scheme used by all other AJAX fields.
• acf_decrypt() now treats malformed payloads as a decrypt failure and returns false instead of emitting PHP 8 warnings.

Enhancements

• acf_inline_toolbar_editing_attrs() now accepts a return_array argument that returns the attributes as an escaped array suitable for use with wp_get_attachment_image().

Fixes

• acf_form() with 'post_id' => 'new_post' and a fields list of field names no longer fatal errors when acf_form_head() runs before WordPress's main query is built.
• Multiple acf_form() calls wrapped inside a single outer form tag with one submit button no longer silently drop field values, post_title, or post_content from the non-last forms. A new acf/form/meta_ttl filter controls how long per-form metadata remains valid.
• Duplicating a V3 block with identical attributes no longer displays corrupted preview content in the duplicate.
• Switching between tabs containing WYSIWYG fields no longer leaves the admin menu pinned against a shorter page, which could lock page scroll.

6.8.7

Release Date 8th June 2026

Fixes

• SCF's Abilities API integration for its internal post types no longer triggers PHP warnings, notices, or a fatal error (500) on block editor and REST API requests when another active plugin builds the WordPress abilities registry earlier in the request; registration is skipped cleanly in that case and normal abilities behavior is otherwise unchanged.

6.8.6

Release Date 27th May 2026

Security

• Hardened authorization on the oEmbed field's AJAX search endpoint. The endpoint now requires an authenticated user with content-authoring capability; the legacy unauthenticated entry point is deprecated and will be removed in a future release.
• Hardened front-end acf_form() submission processing so the post_title and post_content form options are respected on save, and the save pipeline only accepts values for fields the rendered form exposed. A new acf/form/allowed_field_keys filter is available for sites that legitimately extend a form at runtime.

6.8.5

6.8.5

Release Date 19th May 2026

Features

Backports 6.8.1 feature work into SCF.

6.8.4

Release Date
30th April 2026

Features

• Backports 6.8.0 and 6.8.0.1 feature work into SCF.
• AI integration: SCF now integrates with the WordPress Abilities API, allowing external consumers, including AI tools, to manage field groups, post types, and taxonomies when explicitly enabled via the feature flag.
• Structured data: SCF can now generate JSON-LD structured data fields when explicitly enabled via the feature flag.
• WP-CLI: Added and backward-compatible commands for importing, exporting, syncing, and checking the status of SCF JSON files.
• Post types: SCF custom post types now support the WordPress 6.9+ Notes editor feature via a new Notes checkbox in the Supports settings.
• JSON Schemas: Added v1 schemas for supported field types and updated field group, post type, and taxonomy schemas.

Enhancements

• Blocks V3: The Open in Expanded Editor button text can now be customized via a new block.json property.
• Blocks V3: Added an PHP filter to customize the default Open in Expanded Editor button text.
• Blocks V3: The edit and Open in Expanded Editor buttons can now be hidden via a new block.json property.
• Blocks V3: Added a JavaScript filter for customizing the Expanded Editor modal overlay class.
• Blocks V3: The block form HTML is now preloaded alongside the preview, eliminating an extra AJAX call on mount.
• Blocks V3: Expanded Editor buttons are now hidden for V3 blocks that have no fields assigned.
• SCF inline script tags now use for Content Security Policy (CSP) compliance and nonce support.

Fixes

• V3 blocks with WYSIWYG fields no longer enqueue TinyMCE editor assets on the frontend.
• V3 blocks with identical attributes and different InnerBlocks content no longer return cached output from the first block on the frontend.
• Flexible Content fields now properly clean up nested postmeta when a parent layout containing nested Flexible Content fields is deleted.
• The Expanded Editor Done button now stays disabled until the AJAX save completes, preventing data loss.
• Pressing Escape while the Expanded Editor is saving will no longer close the modal, preventing data loss.
• InnerBlocks content containing backslashes or dollar signs now renders correctly.
• Auto Inline Editing now only applies to SCF Blocks V3, resolving incorrect hover/focus borders appearing on V2 blocks.
• Auto Inline Editing blocks now receive block context variables in render templates.
• Auto Inline Editing now works with blocks using .
• Validation errors in the V3 Expanded Editor no longer cause a dead-end state.
• Icon Picker selections in Repeater fields no longer disappear.
• Range field number input now syncs to the slider and correctly updates V3 block previews.
• Message field Name and Instructions settings are no longer shown in the field group editor.
• Image field no longer crashes in WordPress 7.0 release candidates.
• V3 blocks registered via PHP now correctly show the Open in Expanded Editor button.
• Flexible Content disabled layouts now work correctly in Blocks V3.

6.8.3

Release Date 22th April 2026

Fixes

• Fix command palette type error on wp-admin.
• Plugins requiring ACF are also validated for SCF.
• REST API calls now honor the user's capability.
• Block Preview rendering now verifies the user can edit the target post.
• Paginated Repeater fields now verify the user can edit the target post.
• Flexible Content layout title AJAX requests now validate a security nonce.
• Clone field AJAX endpoints now enforce SCF admin permissions on field group listings.

6.8.2

Release Date 24th March 2026

Fixes

• AJAX Handlers: Prefix field-specific nonces to resolve an issue where third-party nonces could be treated as valid for AJAX calls.
• Block Preview: Verify that user has access to post specified via block context.
• Repeater Field: Verify that user has access to specified post.
• REST API: Apply KSES sanitization to field content saved by users without unfiltered_html capabilities.
• REST API: Respect show_in_rest setting for field groups in /types endpoint.

6.8.1

Release Date 11th March 2026

Backports from 6.7.1

• Security - User field AJAX queries now enforce field-configured role restrictions and validate search permissions.
• Security - Post Object, Relationship, and Page Link field AJAX queries now enforce field-configured restrictions for post status, post type, and taxonomy.
• Site Health - Track blocks using auto inline editing.

6.8.0

Release Date 30 Dec 2025

Features

• Abilities integration: added field abilities for Field Groups and individual Fields.
• Abilities integration: added trash/untrash abilities for internal post types.
• All backports up to 6.7.0.2.
• JSON Schemas: Added all field schemas.
• WooCommerce HPOS: Added support for custom fields on any WooCommerce Order Types.
• Added PHPUnit tests.

Fixes

• Hide duplicated Command Palette Commands on WP 6.9+.
• Fix field schema validation for WP Rest API.
• Fix checkbox toggle functionality.