Does ACF PHP VARS have any unpatched vulnerabilities?

No. All known vulnerabilities in ACF PHP VARS have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is ACF PHP VARS compatible with WordPress 4.9.29?

According to WordPress.org data, ACF PHP VARS 1.3 has been tested up to WordPress 4.9.29. Check the plugin's changelog for the latest compatibility information.

How often is ACF PHP VARS updated?

ACF PHP VARS was last updated on Oct 4, 2018. Frequent updates are generally a positive security signal.

What is ACF PHP VARS's security score?

ACF PHP VARS has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

ACF PHP VARS Security & Risk Analysis

wordpress.org/plugins/acf-php-vars

Lists all ACF/ACF PRO variables of created fields so that you can simply copy-and-paste into your theme template files.

10 active installs v1.3 PHP + WP 3.0.1+ Updated Oct 4, 2018

acfadvanced-custom-fieldsphptemplatetheme

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is ACF PHP VARS Safe to Use in 2026?

Generally Safe

Score 85/100

ACF PHP VARS has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 7yr ago

Risk Assessment

The ACF-PHP Vars plugin v1.3 exhibits a generally positive security posture based on the static analysis and vulnerability history provided. The absence of any identified attack surface entry points, dangerous functions, file operations, or external HTTP requests is a significant strength. Furthermore, the lack of any recorded vulnerabilities, critical taint flows, or unsanitized paths suggests a well-developed and secure codebase in its current state. However, there are areas for improvement that, while not indicating immediate critical risks, warrant attention. The low percentage of properly escaped output (19%) is a notable concern. While the static analysis didn't detect any specific unsanitized output leading to a taint flow, this deficiency could potentially lead to Cross-Site Scripting (XSS) vulnerabilities if user-supplied data is ever introduced into these unescaped outputs in the future. The plugin also lacks nonce and capability checks, which are crucial for preventing unauthorized actions, although the absence of any entry points currently mitigates this risk.

Key Concerns

Low output escaping percentage
Missing nonce checks
Missing capability checks

Vulnerabilities

None known

ACF PHP VARS Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 17, 2026

ACF PHP VARS Code Analysis

Dangerous Functions

Raw SQL Queries

2 prepared

Unescaped Output

5 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

67% prepared3 total queries

Output Escaping

19% escaped26 total outputs

Attack Surface

ACF PHP VARS Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 6

actionadmin_enqueue_scriptsacf-php-vars.php:44

actioninitacf-php-vars.php:45

actionadmin_noticesacf-php-vars.php:55

actionadmin_noticesacf-php-vars.php:66

actionadmin_menuinc\acf-spv-options.php:22

actionadd_meta_boxesinc\acf-spv-options.php:306

Maintenance & Trust

ACF PHP VARS Maintenance & Trust

Maintenance Signals

WordPress version tested4.9.29

Last updatedOct 4, 2018

PHP min version

Downloads3K

Community Trust

Rating96/100

Number of ratings5

Active installs10

Alternatives

ACF PHP VARS Alternatives

ACF Theme Code for Advanced Custom Fields

acf-theme-code

Automatically generate the code needed to implement Advanced Custom Fields in your themes.

10K No CVEs

ACF-VC Integrator

acf-vc-integrator

ACF-VC Plugin puts a ACF element into your WPBakery Page Builder making it easier than ever to use your custom created fields in your own page design.

3K No CVEs

ACF Content Analysis for Yoast SEO

acf-content-analysis-for-yoast-seo

100

WordPress plugin that adds the content of all ACF fields to the Yoast SEO score analysis.

100K No CVEs

Advanced Custom Fields: Font Awesome Field

advanced-custom-fields-font-awesome

Adds a new 'Font Awesome Icon' field to the popular Advanced Custom Fields plugin.

100K 1 CVE

Table Field Add-on for ACF and SCF

advanced-custom-fields-table-field

A Table Field Add-on for the Advanced Custom Fields and Secure Custom Fields Plugin.

50K 2 CVEs

Developer Profile

ACF PHP VARS Developer Profile

samjco

1 plugin · 10 total installs

trust score

Avg Security Score

85/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect ACF PHP VARS

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/acf-php-vars/css/table.css/wp-content/plugins/acf-php-vars/js/clipboard.min.js/wp-content/plugins/acf-php-vars/js/functions.js/wp-content/plugins/acf-php-vars/js/jquery.tablesorter.min.js

HTML / DOM Fingerprints

CSS Classes

tablesorterxtr-tableheadacfpv-titlevardesccodevartitlechange-functiontoggle-container

Data Attributes

data-clipboard-actiondata-clipboard-targetdata-name1data-name2

FAQ