WP-Safety

ACF City Selector Security & Risk Analysis

wordpress.org/plugins/acf-city-selector

This plugin adds a new (ACF) field to select a city depending on country and state/province.

200 active installs v1.17.0 PHP 7.0+ WP 3.6.0+ Updated Aug 28, 2025
advanced-custom-fieldscitycountryprovincestate
76
B · Generally Safe
CVEs total2
Unpatched1
Last CVEApr 1, 2025
Plugin page Download
Safety Verdict

Is ACF City Selector Safe to Use in 2026?

Mostly Safe

Score 76/100

ACF City Selector is generally safe to use. 2 past CVEs were resolved. Keep it updated.

2 known CVEs 1 unpatched Last CVE: Apr 1, 2025Updated 7mo ago
Risk Assessment

The 'acf-city-selector' v1.17.0 plugin exhibits a mixed security posture. On the positive side, it demonstrates good practices with 100% of SQL queries using prepared statements and a significant number of nonce and capability checks. All identified AJAX entry points also appear to have authentication checks, contributing to a reduced attack surface from direct exploitation. However, concerns arise from the taint analysis, which revealed three high-severity flows with unsanitized paths. These could potentially lead to vulnerabilities if not handled carefully, even with other security measures in place.

The vulnerability history is a significant concern. With two known CVEs, one of which remains unpatched and rated as high severity, the plugin has a history of exposing sensitive information and allowing unrestricted file uploads. This pattern indicates recurring security weaknesses that attackers may still be able to exploit. While the current code analysis shows improvements in some areas like SQL, the lingering unpatched vulnerability and past issues point to a need for continued vigilance and prompt patching.

In conclusion, while 'acf-city-selector' v1.17.0 has made strides in secure coding practices regarding database interactions and input validation at entry points, the presence of high-severity taint flows and a history of unpatched vulnerabilities significantly detract from its overall security. The unpatched high-severity CVE is the most pressing issue, alongside the potential for exploitation of the identified unsanitized paths.

Key Concerns

  • Unpatched High Severity CVE
  • High Severity Taint Flows (Unsanitized Paths)
  • Medium Severity CVE (Known history)
  • Unescaped Output (29% of outputs)
Vulnerabilities
2

ACF City Selector Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
1 CVE in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
1

2 total CVEs

CVE-2025-31832medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

ACF City Selector <= 1.16.0 - Unauthenticated Sensitive Information Exposure

Apr 1, 2025Unpatched
CVE-2024-56264high · 7.2Unrestricted Upload of File with Dangerous Type

ACF City Selector <= 1.14.0 - Authenticated (Admin+) Arbitrary File Upload

Dec 30, 2024 Patched in 1.15.0 (10d)
Code Analysis
Analyzed Mar 16, 2026

ACF City Selector Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
42 prepared
Unescaped Output
111
271 escaped
Nonce Checks
15
Capability Checks
7
File Operations
3
External Requests
0
Bundled Libraries
0

SQL Query Safety

100% prepared42 total queries

Output Escaping

71% escaped382 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

9 flows3 with unsanitized paths
acfcs_info_page (admin\acfcs-info.php:5)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

ACF City Selector Attack Surface

Entry Points4
Unprotected0

AJAX Handlers 4

authwp_ajax_get_states_callinc\acfcs-ajax.php:58
noprivwp_ajax_get_states_callinc\acfcs-ajax.php:59
authwp_ajax_get_cities_callinc\acfcs-ajax.php:131
noprivwp_ajax_get_cities_callinc\acfcs-ajax.php:132
WordPress Hooks 28
actionacf/register_fieldsACF_City_Selector.php:56
actionacf/include_field_typesACF_City_Selector.php:57
actionadmin_enqueue_scriptsACF_City_Selector.php:59
actionadmin_menuACF_City_Selector.php:60
actionadmin_initACF_City_Selector.php:61
actionadmin_initACF_City_Selector.php:62
actionadmin_initACF_City_Selector.php:63
actionadmin_noticesACF_City_Selector.php:64
actioninitACF_City_Selector.php:65
actionplugins_loadedACF_City_Selector.php:66
actionplugins_loadedACF_City_Selector.php:67
actionplugins_loadedACF_City_Selector.php:68
actionacf/input/admin_l10nACF_City_Selector.php:70
actionadmin_noticesACF_City_Selector.php:290
actionadmin_noticesACF_City_Selector.php:313
actionacfcs_after_success_importinc\acfcs-actions.php:23
actionacfcs_store_metainc\acfcs-actions.php:52
actionacfcs_admin_menuinc\acfcs-actions.php:98
actionacfcs_delete_fileinc\acfcs-actions.php:123
actioncurrent_screeninc\acfcs-help-tabs.php:112
actionadmin_initinc\form-handling.php:42
actionadmin_initinc\form-handling.php:76
actionadmin_initinc\form-handling.php:100
actionadmin_initinc\form-handling.php:121
actionadmin_initinc\form-handling.php:159
actionadmin_initinc\form-handling.php:178
actionadmin_initinc\form-handling.php:198
actionadmin_initinc\form-handling.php:221
Maintenance & Trust

ACF City Selector Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedAug 28, 2025
PHP min version7.0
Downloads10K

Community Trust

Rating0/100
Number of ratings0
Active installs200
Alternatives

ACF City Selector Alternatives

MyCitySelector

MyCitySelector

mycityselector

A
85

MyCitySelector plugin for WordPress. Detect user location, substitute any data depending on user location and much more...

0 No CVEs
States, Cities, and Places for WooCommerce

States, Cities, and Places for WooCommerce

states-cities-and-places-for-woocommerce

A
85

WordPress plugin that shows dropdowns for State and City Select for WooCommerce.

7K No CVEs
Country State City Dropdown CF7

Country State City Dropdown CF7

country-state-city-auto-dropdown

A
96

Add country state city dropdown CF7 in contact form 7 plugin. In PRO you can use these features on any type of form.

5K 2 CVEs
Geo Redirect

Geo Redirect

geo-targetly-geo-redirect

A
100

Redirect visitors based on geolocation (country, state, city, lat/lng/radius)

1K No CVEs
Country and State Selection Addon for Gravity Forms

Country and State Selection Addon for Gravity Forms

gforms-addon-for-country-and-state-selection

A
100

Country and State Selection Addon for Gravity Forms lets you easily add dynamic country and state dropdown fields to your Gravity Forms.

1K No CVEs
Developer Profile

ACF City Selector Developer Profile

Beee

4 plugins · 330 total installs

78
trust score
Avg Security Score
77/100
Avg Patch Time
10 days
View full developer profile
Detection Fingerprints

How We Detect ACF City Selector

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/acf-city-selector/css/acf-city-selector.css/wp-content/plugins/acf-city-selector/js/acf-city-selector.js/wp-content/plugins/acf-city-selector/js/acf-city-selector-admin.js
Script Paths
/wp-content/plugins/acf-city-selector/js/acf-city-selector.js/wp-content/plugins/acf-city-selector/js/acf-city-selector-admin.js
Version Parameters
/wp-content/plugins/acf-city-selector/css/acf-city-selector.css?ver=/wp-content/plugins/acf-city-selector/js/acf-city-selector.js?ver=/wp-content/plugins/acf-city-selector/js/acf-city-selector-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
acf-city-selector-field
HTML Comments
<!-- City Selector --><!-- Search Form --><!-- Preview --><!-- Settings -->+2 more
Data Attributes
data-acfcs-state-urldata-acfcs-province-urldata-acfcs-city-urldata-acfcs-noncedata-acfcs-countrydata-acfcs-province+1 more
JS Globals
acf_city_selector_params
REST Endpoints
/wp-json/acf-city-selector/v1/get-states/wp-json/acf-city-selector/v1/get-cities
FAQ

Frequently Asked Questions about ACF City Selector