I can’t find the actual number because Automattic’s tweet[1] announcing it has been deleted, but it’s the one mentioned in the ACF 6.3.8 release notes[2]. The authors of ACF can’t upload that version to wordpress.org themselves because Matt banned them from there before making the announcement.
ETA: Matt says[3] it’s a different vulnerability. Anybody willing to break out the almighty diff?
ETA: Matt says[3] it’s a different vulnerability. Anybody willing to break out the almighty diff?
[1] Discussed at the time: https://news.ycombinator.com/item?id=41752289
[2] https://www.advancedcustomfields.com/blog/acf-6-3-8-security...
[3] https://news.ycombinator.com/item?id=41821829