Advanced Custom Fields: Position Field Security & Risk Analysis
wordpress.org/plugins/advanced-custom-fields-position-fieldAddon for Advanced Custom Fields that adds a position field (country/region/city) to the available field types
Is Advanced Custom Fields: Position Field Safe to Use in 2026?
Generally Safe
Score 85/100Advanced Custom Fields: Position Field has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.
The "advanced-custom-fields-position-field" v1.1 plugin presents a mixed security posture. On the positive side, it demonstrates good practices by avoiding dangerous functions, file operations, and external HTTP requests. The plugin also shows a commitment to data integrity with a majority of its SQL queries using prepared statements and a reasonable percentage of outputs being properly escaped. The absence of any recorded vulnerabilities in its history is a strong indicator of past security diligence.
However, significant security concerns are present in the static analysis. The plugin exposes two AJAX handlers without any authentication checks, creating a substantial attack surface. Furthermore, all three analyzed taint flows resulted in unsanitized paths with high severity, indicating potential vulnerabilities in how data is processed. The complete lack of nonce checks and capability checks on its entry points exacerbates these issues, leaving the plugin vulnerable to various attacks like Cross-Site Request Forgery (CSRF) and privilege escalation if the unsanitized paths can be exploited.
In conclusion, while the plugin has a clean vulnerability history and avoids some common pitfalls, the presence of unprotected AJAX handlers and high-severity unsanitized taint flows are critical weaknesses that demand immediate attention. The lack of basic security checks on its exposed entry points is a significant oversight.
Key Concerns
- AJAX handlers without auth checks
- High severity unsanitized taint flows
- No nonce checks on entry points
- No capability checks on entry points
- Unescaped output detected
Advanced Custom Fields: Position Field Security Vulnerabilities
Advanced Custom Fields: Position Field Code Analysis
Bundled Libraries
SQL Query Safety
Output Escaping
Data Flow Analysis
Advanced Custom Fields: Position Field Attack Surface
AJAX Handlers 2
Shortcodes 1
WordPress Hooks 1
Maintenance & Trust
Advanced Custom Fields: Position Field Maintenance & Trust
Maintenance Signals
Community Trust
Advanced Custom Fields: Position Field Alternatives
ACF qTranslate
acf-qtranslate
Provides qTranslate compatible ACF field types for Text, Text Area, WYSIWYG, Image and File.
Admin Columns for ACF Fields
admin-columns-for-acf-fields
Allows you to enable columns for your ACF fields in post and taxonomy overviews (e.g. "All Posts") in the Wordpress admin backend.
Advanced Custom Fields: Typography Field
acf-typography-field
A Typography Add-on for the Advanced Custom Fields Plugin.
ACF: Google Map Extended
advanced-custom-fields-google-map-extended
ACF field. Saves map center, zoom level. Disables map zooming on scroll. Shows location coordinates. Bonus for programmers.
whatwedo ACF Cleaner
whatwedo-acf-cleaner
Cleanup old metadata created by Advanced Custom Fields.
Advanced Custom Fields: Position Field Developer Profile
11 plugins · 31K total installs
How We Detect Advanced Custom Fields: Position Field
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/advanced-custom-fields-position-field/css/acf-position.css/wp-content/plugins/advanced-custom-fields-position-field/js/acf-position.jsHTML / DOM Fingerprints
country-selector-listfield-innercss3-loaderselect2-containeracf-position-fielddata-field_name=acf-positiondata-id=acf-positionacf_position_field