> This update is as minimal as possible to fix the security issue.
> This is a rare and unusual situation brought on by WP Engine’s legal attacks, we do not anticipate this happening for other plugins.
So.. is this fixing a security issue.. or is this because of WP Engine?
> and are forking Advanced Custom Fields (ACF) into a new plugin
And stealing their place in the plugin store. A fork generally implies that you are going to set off on your own, and not inhabit the dead flesh of the project you just killed.
Matt Mullenweg is the biggest child I have ever seen in operation.
> So.. is this fixing a security issue.. or is this because of WP Engine?
AFAIK, here's the timeline.
1. Automattic announced that there was a security issue in ACF.
2. WP Engine fixes it immediately.
3. Automattic bans the WP Engine developers from Wordpress.org, so they can't deploy the fix. This places millions of users at risk, but that's how they roll.
4. Automattic forks ACF, removes the commercial upgrade, and renames it.
> So.. is this fixing a security issue.. or is this because of WP Engine?
It's fixing a security issue WP Engine cannot fix because they are banned from wordpress.org.
*Has fixed, but can't post the fixed version to wordpress.org, to be clear
Not just "stealing their place in the plugin store" but also blatantly committing trademark violations. https://imgur.com/a/D7YHn4e
Pot... Kettle... Something, something.
So WordPress-the-org — which is effectively Matt, as far as I can tell — just Sherlocked a developer's plug-in using the developer's own code, ostensibly as retribution for a security issue that the developer had already fixed. https://www.advancedcustomfields.com/blog/acf-6-3-8-security...
What am I missing?
That ACF security update was not made available on WordPress.org due to ACF maintainers being blocked from accessing WordPress.org, according to WordPress.org's blog https://wordpress.org/news/2024/09/wp-engine-banned/
> Sherlocked
The verb you're looking for is stole
Sherloking is when a Walmart is built next to a cornershop. Here the dude tore open the corner shop while claiming to be a victim.
When I posted, I was under the impression that ACF was open source. But the GitHub repo doesn’t list one, so if it’s not open source…WTF.
Forking isn't the issue. Here they just took the whole ID/address from which existing installations will continue to be updated from. This is theft. I have no doubt it will be added to the lawsuit.
While technically they own the platform and can do whatever they want, there is clearly ill intent here and it'll be used against them.
I think being GPL is a requirement to host plugins in wp.org, so yes, that free version available there is (was?) open source.
> When I posted, I was under the impression that ACF was open source. But the GitHub repo doesn’t list one, so if it’s not open source…WTF.
Isn't it here?
https://github.com/AdvancedCustomFields/acf
If you mean the licence, it's in readme.txt:
https://github.com/AdvancedCustomFields/acf/blob/master/read...
Thanks! The GitHub app reports it as "None" (https://imgur.com/a/5dyaTfX), but now I see it's "GPLv2 or later".
Clearly AdvancedCustomFields should have filed a trademark to prohibit Wordpress from fully stealing it.
GPL code, trademarked branding. If you want to fork then you have to actually fork.
Oh the irony.
> Clearly AdvancedCustomFields should have filed a trademark to prohibit Wordpress from fully stealing it.
They did:
Advanced Custom Fields — https://tsdr.uspto.gov/#caseNumber=98321164&caseSearchType=U...
ACF — https://tsdr.uspto.gov/#caseNumber=98321135&caseSearchType=U...
Or, more blatant and accurate, Sherlocking is when Apple literally named their search product "Sherlock" when a popular third party shareware app named "Watson" already existed.
This release fixes a separate security vulnerability from the original update.
You are abusing the community for your own gain. Stop!
Can anyone else prove this security vulnerability actually existed?
It doesn't matter. Matt didn't have the right to hijack ACF.
I'm not on Matt's side, but anyone has the right to fork a GPL project and call it something else.
This is not a fork. He stole the original project plugin space, its reviews, download statistics, SEO traffic, etc. It has nothing to do with GPL.
That isn't what happened here.
The maintainers [1] and the Wordpress project’s core security team lead [2] said that the fix was already published, despite your blocking them from publishing it directly and irresponsibly disclosing the issue out of spite [3].
Was that not true?
[1] https://x.com/wp_acf/status/1843376378210857441
Sorry, I misread, disregard. I’d delete the comment but HN won’t let me.
Related: the main developer on the Fields API proposal is calling it quits on involvement with WordPress.
https://github.com/sc0ttkclark/wordpress-fields-api
I'm not entirely sure what it is but it has over 350 stars and quite a few forks so it's probably important.
Now resigned maintainer Scott is also lead dev of Pods, awesome ACF-like plugin.
Lines have been crossed when stealing other people's code, what happened in the case of ACF to SCF, IMHO.
Wordpress banned forks from the plugin directory a while ago, so they're doing what they ban everyone else from doing. https://make.wordpress.org/plugins/2021/02/16/reminder-forke...
Rules are for thee, not for me
ACF isn’t a premium plugin (linked post only concerns those).
The linked post also might not reflect the current policies. This update was a security update and was done due to the unique circumstances around the original publisher.
There are a lot of other employers that won't make you lie for them.
If you point to any lies told by me, I would love to correct them.
No one has told me to come here and defend anyone. I work at a part of Automattic that is isolated from anything WordPress — I don’t have to be here.
I am defending values I believe in. I am trying to make sure correct information is out there.
You are free to not believe that of course.
If Microsoft took over an existing GitHub repo, would those values be the same?
The correct information is that your employer created the security problem as part of their shakedown attempt. They then banned the WP Engine developers from Wordpress so that they couldn't update the plugin. Now they've forked the plugin, removed the commercial upgrade, and renamed it.
I'm not sure where values come into it. I'd be ashamed to work there.
What values are those, exactly?
Exactly. ACF is free and open source. ACF Pro is not. Secure Custom Fields is based on the free version (ACF, without "Pro").
The mental gymnastics you keep doing to defend your boss are impressive, and I'm sure will reflect well on your next perf cycle!
Spamming nonsense isn't a good look...
Link to the delta from the latest code revision where they replaced “ACF” with “SCF”.
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph...
Not a lawyer, but since WPE sells ACF services, can WP redirect users away? That is directly impacting a competitor’s bottom line.
If anyone is interested in the extended controversy surrounding Wordpress, there is a site that has been tracking everything.[0]
Wow, I hadn't heard about the nosebleed incident. Absurd, even if he ain't snorting coke, it's deeply weird to continue an interview while profusely bleeding as if nothing is happening.
I have no stake in any of this but some people have nosebleeds without anything nefarious or bad going on. This guy doesn’t need any help looking bad, suggesting that his nosebleed is important is stupid.
It's not the nosebleed in itself, it's the ignoration of the blood streaming down the face during a video interview that is the most curious. And it wouldn't be as relevant if the subject hadn't acted increasingly erratic and self-destructive at the same time period.
It's not "important", it's just deeply weird, because it tracks.
If anyone from Automattic is reading this and would like to confidentially leak any internal information about this behaviour from Matt, please email admin@bullenweg.com and I will publish it on bullenweg.com.
This is excellent!
Is there a repo of this website?
It would be good to have for preservation purposes.
It actually is an excellent website, and the repo is here: https://github.com/bullenweg/bullenweg.github.io
Matt you propably don't remember me but we met briefly on WordCamp Vienna 8 years ago. I was hugely inspired by you for many years and still was until few weeks ago.
It's not too late to stop this madness.
I have been unable to convince Jason Bahl to share the ~threats~ ~coercion~ terms you used to convince him to join Automattic. Your contribution via GitHub of the terms that you used to ~coerce~ persuade him into defecting would be appreciated.
People are concerned about you, my dude. Very concerned. From one human being to another - please consider taking a step back to get some perspective.
As a builder of a small specialized CMS for which WordPress is a large generalized competitor, thanks Matt. Refugees welcome.
I'm rooting for this to happen. Best of luck to the new king of the market.
I'm interested. Please do share.
Thanks but I'm going for pseudonymity on this account. Just a few dozen clients.
Perhaps you should edit out "refugees welcome" then.
Blog post on wordpress.org concerning this: https://wordpress.org/news/2024/10/secure-custom-fields/
> There is separate, but not directly related news that Jason Bahl has left WP Engine to work for Automattic and will be making WPGraphQL a canonical community plugin. We expect others will follow as well.
Anything to prop up their position and throw the company they are attacking under the bus. What a jerk.
Which, by the way, previously ended with "We expect others will defect as well." before the post was edited
> This update is as minimal as possible to fix the security issue.
What is the actual issue? CVE number?
Details haven't been made public yet: https://www.cve.org/CVERecord?id=CVE-2024-9529
Though, Automattic posted publicly that there was a vulnerability shortly after filing the CVE, while simultaneously blocking WPEngine from being able to push a fix to it because they'd cut off access to wp.org
I can’t find the actual number because Automattic’s tweet[1] announcing it has been deleted, but it’s the one mentioned in the ACF 6.3.8 release notes[2]. The authors of ACF can’t upload that version to wordpress.org themselves because Matt banned them from there before making the announcement.
ETA: Matt says[3] it’s a different vulnerability. Anybody willing to break out the almighty diff?
[1] Discussed at the time: https://news.ycombinator.com/item?id=41752289
[2] https://www.advancedcustomfields.com/blog/acf-6-3-8-security...
The diff contains two (identical) changes that aren't just ripping out upgrade notices for the pro version: Two functions that stop callbacks from accessing $_POST now also stop them from accessing $_REQUEST, which also contains everything in $_POST. Also confirmed by WP Engine's update notice[1].
I honestly don't see why anyone would treat this as a security issue. Everything involved is PHP code that can do whatever it wants, not in any kind of sandbox.
Edit: And even if it were this update doesn't fix the problem. POST variables can still be accessed:
filter_input(INPUT_POST, 'name');
[1]: https://www.advancedcustomfields.com/blog/acf-6-3-8-security...I think they mean that it's developed by WP Engine and that's the security issue.
This is a rare and unusual situation brought on by WP Engine’s legal attacks, we do not anticipate this happening for other plugins.
Yeah, that is not how trust works.Good lord, why?? That’s such a petty move and is just doing further damage to the WordPress ecosystem.
scorched earth is always so successful
This gets better by the day.
I'm so rooting for WPE and I hope the judge will lay it heavy.
So, wordpress is being burnt to the ground by Matt. Just great. :/
It is as if Wordpress [1] is asserting that the original author is a danger to public safety. Their terms read: ...
To that end, we reserve the following rights: ... to make changes to a plugin, without developer consent, in the interest of public safety.
OK so:
1) WordPress clearly lacks functionality like ACF that belongs in core
2) Many developers clearly like ACF
3) Many do not (it's messy in the DB, if you ask me)
4) Core functionality that was if not API-compatible, at least API-familiar with ACF would be welcomed by many
5) Creating a new plugin that did this, that was transitioned into core (like other functionality has been), would be a good plan
6) Commandeering the slug for a decade-old commercial plugin like this, to replace it with a fork, is so obviously fucking bad form that it's still hard to believe it is happening even given all the other whatthefuckery that has been happening.
ETA: 7) "Secure Custom Fields"? Really? The difference is what?
What the fuck, Matt?
ETA: personally I understand many of the frustrations with WP Engine's positioning. I have experienced exactly the trademark confusion issues that the lawsuit has been about, where clients have assumed WP Engine is WordPress itself. I don't use them after some iffy customer service and technical issues early on. But this is absurd behaviour.
The fucked thing is that per the article, they're not even dedicating any resources to maintain it going forward, they've just made this one fix and are throwing it to other people to maintain if they want:
> Going forward, Secure Custom Fields is now a non-commercial plugin, and if any developers want to get involved in maintaining and improving it, please get in touch.
We have taken on stewardship of this code going forward, and will dedicate engineers to it. Probably more than Silver Lake does.
So, the ACF plugin is a useful contribution to the WordPress ecosystem? Significant enough to warrant bringing it in-house now? Is work on it included in your assessment of what WPE contributes?
Why don't you mention this in the post at all?
I can't even follow what's going on here, and I used to be an expert in software licensing drama. All I see is a bunch of unilateral actions driven by Matt Mullenweg that breaks so many implicit promises of how a free software steward should behave.
Wordpress sites quite often seen to be a hodge-podge of plugins, each with their own UI and conventions, and (as a host) I'm never an expert in anye one of them. Has one of the site designers used a plugin that has offended Matt? Or that might offend him in the near future? How do I even audit for that?
I don't need much of a push to move my position on this. Before: "eh, use Wordpress if it's cheaper" Now: "please don't, that decision will probably cost me".
Theoretically WPE might be a bad actor-- perhaps even more than any commercial competitor naturally is-- but they're smart enough to not smear it around with absurd moves like this that radiate a lack of professionalism or ability to predict reactions.
Pathetic. Matt banned one of the most popular WordPress plugins. Then, he forked the code and hosted it on WP.org, which is against the Terms of Service. He also hosted it in the plugin directory on the same path as ACF, stealing its SEO traffic. Wow!
Matt's state of mind is clearly not good. If I were an investor in WordPress, I would start thinking about cutting my losses. WordPress will not recover from this self-inflicted destruction
*Update* Oh, it's worse than that. He just renamed the ACF to SCF and claimed all the installations and reviews from ACF. I still can't believe this happened. This can't be legal!
Have you read the GPL?
Eventually you are going to have to confront that the distance between 'technical correctness' and 'moral correctness' is vaster than you apparently think it is.
Parent does not mention GPL, nor is this a GPL issue. It's about the takeover of an existing plugin and it's reviews/installs.
What kind of response is that? Does that mean you approve of sites like GPLDL then?
You need therapy my dude, you radiate SDE.
This whole saga is surreal because I thought myself to be constitutionally incapable of rooting for a private equity firm to win a fight, but this is like watching a guy violently strain to shit his pants while yelling “Look what they made me do!”
Also the guy is in a hot tub with all of his friends and employees
ProcessWire CMS (https://processwire.com/) is a neat alternative if one requires quite complex set of custom fields on a website.
I wonder what will happen to old websites I built with ACF and did not touch for years? Are they vulnerable now, as owners cannot get updates for ACF?
I had to login to several sites and make sure that the plugins would not auto-update. This is pretty much like a rogue actor taking over a plugin.
This is one of the sleaziest things I've ever seen. I fear a hard fork of WordPress is now inevitable and unfortunately, it's possibly going to kill the platform, all over one man's ego. How can I now sell my clients on using WordPress for mission critical things if on a whim the owner of WordPress can break my site or lock out my security updates, just because I chose the "wrong" host or plugin? I don't see how the Board can sit by and let this all unfold like this, it's practically business suicide.
https://developer.wordpress.org/plugins/wordpress-org/detail...
> The use of trademarks or other projects as the sole or initial term of a plugin slug is prohibited unless proof of legal ownership/representation can be confirmed
The plugin is at https://wordpress.org/plugins/advanced-custom-fields and advanced custom fields filed for trademark last December https://trademarks.justia.com/983/21/advanced-custom-9832116...
Also
https://developer.wordpress.org/plugins/wordpress-org/plugin...
> We also don’t accept 100% copies of other people’s work
There's a clause which looks applicable https://developer.wordpress.org/plugins/wordpress-org/plugin...
> What happens to a plugin if the plugin owner gets blocked?
however the page says "Last Updated: 12 October 2024" and https://github.com/WordPress/developer-plugins-handbook/blob... doesn't have this section so someone is trying to cover their tracks...
Good catches. Also note that "ACF" is trademarked by WPEngine and is used throughout the source code and reviews.
If you were an insider deliberately trying to tank WordPress, it is hard for me to imagine anything you could do that would be more effective than this.
We no longer do custom WordPress work --- it turned out to never be worth the hassle --- but when we did, our company used ACF extensively. High quality plugin with responsive support and very fair licensing terms.
This --- to me --- smacks of complete bullshit.
Forking it is whatever, but to take over their namespace and thus break trust across the ecosystem is a dealbreaker. All devs will have to move.
It is complete bullshit, but calling ACF high quality is also pretty out there.
It's one of those giants in WP that is stuck in the past, arguably much like a lot of core.
To be fair we haven’t worked with WP in 4 years; our experience with ACF was always positive.
4 years ago it was still great. I had one contact with WPE support since they bought the plugin last year or so and it was the most frustrating support interaction I ever had. It felt like I was writing with an AI that was prompted to drive me crazy so that I would leave them alone.
The URL though says "advanced-custom-fields"; Matt...I can't find the words to comment; I just shake my head -_-
If you look at the reviews, they took over the advanced-custom-fields plugin and modified the owner to be Wordpress.org and renamed it to Secure Custom Fields.
What a terrible look
They also modified it by ripping out the pro features, so if people update their ACF Plugin and they had pro features enabled, it'll just break their install
https://plugins.trac.wordpress.org/changeset/3167679/advance...
So they forked some open source software and "hacked it up" to remove notices from the original creators? Fascinating.
Yup, removing post revisions which I think is single line change is hacking it up when WP Engine does it, but this is totally okay apparently.
What a choice, and what poor timing.
Companies that make breaking changes on holiday weekends aren’t going to earn much goodwill from developers.
Nothing has broken. Perhaps WP Engine should have consider that before suing us.
I'd normally never say something like this, but: seek therapy, man. Seriously. This is not normal. It will end badly for so many people, including yourself. It may not be too late.
I've vouched this comment. I don't think we should be flagging this comment; it's not particularly out of line, and there's a significant interest in the community seeing Mullenweg's comments.
You are a disgrace to the open source community.
I hope the lawsuit serves as a lesson to you.
There won't be a Wordpress community left if you continue as you have. What does the board think of your actions?
What a 5 year old kid you are Matt. Good that the community can now see through it.
Guy who started a fight tells target to stop hitting themselves
Please proceed, governor.
I don't think punishing people for suing you typically plays well in court. Especially not if you, you know, publicly announce that's what you're doing.
The pro version of the plugin is a separate install, this just rips out the upgrade notices.
AFAIK the free version never included “pro features” in the first place
Just stealing plugins right now? Or is this some kind of "eye for an eye" situation?
I'm really turned down from the whole ecosystem by this total shitshow. Seems like everything could be pulled from under running sites if some clown decides he doesn't like it anymore.
At this point I just hope that WP Engine wins whatever lawsuit happens and Matt Mullenweg (and everybody who was involved besides him) has to pack his things and leave everything WP-related forever.
I thought there weren't any hinges left for Matt to unhinge. He dug for that minior vulnerability to be to able to justify that takeover.
Who can ever trust this guy and his company, ever again?