Security Fix - ACF now generates different nonces for each AJAX-enabled field, preventing subscribers or front-end form users from querying other field results
Security Fix - ACF now correctly verifies permissions for certain editor only actions, preventing subscribers performing those actions
Security Fix - Deprecated a legacy private internal field type (output) to prevent it being able to output unsafe HTML
Security Fix - Improved handling of some SQL filters and other internal functions to ensure output is always correctly escaped
Security Fix - ACF now includes blank index.php files in all folders to prevent directory listing of ACF plugin folders for incorrectly configured web servers
New - Support for the Block Bindings API in WordPress 6.5 with a new acf/field source. For more information on how to use this, please read the release blog post
New - Support for performance improvements for translations in WordPress 6.5
Enhancement - A new JS filter, select2_escape_markup now allows fields to customize select2's HTML escaping behavior
Fix - Options pages can no longer set to have a parent of themselves
Fix - ACF PRO license activations on multisite subsite installs will now use the correct site URL
Fix - ACF PRO installed on multisite installs will no longer try to check for updates resulting in 404 errors when the updates page is not visible
Fix - ACF JSON no longer produces warnings on Windows servers when no ACF JSON folder is found
Fix - Field and layout names can now contain valid non-ASCII characters
Other - ACF PRO now requires a valid license to be activated in order to use PRO features.
Fix - Fatal JS error no longer occurs when editing fields in the classic editor when Yoast or other plugins which load block editor components are installed
Fix - Using $escape_html on get functions for array returning field types no longer produces an Array to string conversion error