Updates to 6.1.8

acf.php

@@ -9,7 +9,7 @@
  * Plugin Name:   Advanced Custom Fields PRO
  * Plugin URI:    https://www.advancedcustomfields.com
  * Description:   Customize WordPress with powerful, professional and intuitive fields.
- * Version:       6.1.7
+ * Version:       6.1.8
  * Author:        WP Engine
  * Author URI:    https://wpengine.com/?utm_source=wordpress.org&utm_medium=referral&utm_campaign=plugin_directory&utm_content=advanced_custom_fields
  * Update URI:    https://www.advancedcustomfields.com/pro
@@ -34,7 +34,7 @@ if ( ! class_exists( 'ACF' ) ) {
 		 *
 		 * @var string
 		 */
-		public $version = '6.1.7';
+		public $version = '6.1.8';
 
 		/**
 		 * The plugin settings array.

includes/post-types/class-acf-post-type.php

@@ -363,6 +363,7 @@ if ( ! class_exists( 'ACF_Post_Type' ) ) {
 			// Make sure any provided labels are strings and not empty.
 			$labels = array_filter( $post['labels'] );
 			$labels = array_map( 'strval', $labels );
+			$labels = array_map( 'esc_html', $labels );
 
 			if ( ! empty( $labels ) ) {
 				$args['labels'] = $labels;

includes/post-types/class-acf-taxonomy.php

@@ -190,10 +190,10 @@ if ( ! class_exists( 'ACF_Taxonomy' ) ) {
 				),
 				'description'            => '',
 				'capabilities'           => array(
-					'manage_terms'    => 'manage_categories',
-					'edit_terms'      => 'manage_categories',
-					'delete_terms'    => 'manage_categories',
-					'assign_terms'    => 'edit_posts',
+					'manage_terms' => 'manage_categories',
+					'edit_terms'   => 'manage_categories',
+					'delete_terms' => 'manage_categories',
+					'assign_terms' => 'edit_posts',
 				),
 				'public'                 => true,
 				'publicly_queryable'     => true,
@@ -309,6 +309,7 @@ if ( ! class_exists( 'ACF_Taxonomy' ) ) {
 			// Make sure any provided labels are strings and not empty.
 			$labels = array_filter( $post['labels'] );
 			$labels = array_map( 'strval', $labels );
+			$labels = array_map( 'esc_html', $labels );
 
 			if ( ! empty( $labels ) ) {
 				$args['labels'] = $labels;

readme.txt

@@ -2,9 +2,9 @@
 Contributors: elliotcondon
 Tags: acf, fields, custom fields, meta, repeater
 Requires at least: 4.7
-Tested up to: 6.2
+Tested up to: 6.3
 Requires PHP: 5.6
-Stable tag: 6.1.7
+Stable tag: 6.1.8
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
 
@@ -92,6 +92,11 @@ From your WordPress dashboard
 
 == Changelog ==
 
+= 6.1.8 =
+*Release Date 3rd August 2023*
+
+* Security Fix - This release resolves a stored XSS vulnerability in admin screens with ACF post type and taxonomy labels (Thanks to Satoo Nakano and Ryotaro Imamura)
+
 = 6.1.7 =
 *Release Date 27th June 2023*
 
@@ -114,7 +119,7 @@ From your WordPress dashboard
 = 6.1.6 =
 *Release Date 4th May 2023*
 
-* Security Fix - This release resolves an XSS vulnerability in ACF’s admin pages (Thanks to Rafie Muhammad for the responsible disclosure)
+* Security Fix - This release resolves an XSS vulnerability in ACF's admin pages (Thanks to Rafie Muhammad for the responsible disclosure)
 * Fix - Duplicating fields in a new field group with field setting tabs disabled now behaves correctly
 
 = 6.1.5 =