We have been informed that @wp_acf has emailed this to their customers: "We are reaching out to you promptly and directly to address Matt Mullenweg's unprecedented and appalling actions on Oct 12th to forcibly appropriate the Advanced Custom Fields (ACF) plugin and .org listing. The potential impact of Mr. Mullenweg's improper action is that millions of existing installations of ACF will be updated with code that is unapproved and untrusted by the experts on the ACF team at WP Engine. We want to highlight how you can immediately reduce your exposure and risk now, and ensure you are using the genuine ACF." However, from what we can tell, they have not updated their version to patch the security hole we patched in 6.3.6.2 of Secure Custom Fields. So using their version does not "reduce your exposure and risk", it actually increases it. On behalf of the WordPress Security Team, we are advising to *avoid* Advanced Custom Fields until they release an update that patches the problem with $_REQUEST we fixed in 6.3.6.2. Their code is currently insecure, and it is a dereliction of their duty to customers for them to tell people to avoid Secure Custom Fields until they fix their vulnerability. We have also notified them of this privately, but they did not respond.