From 361a3f056ce78602baab99896432f06ac864aa62 Mon Sep 17 00:00:00 2001
From: Carlos Bravo <37012961+cbravobernal@users.noreply.github.com>
Date: Fri, 12 Jun 2026 12:20:09 +0200
Subject: [PATCH 1/2] Guard select field update_value against nested-array
 values

ACF_Field_Select::update_value() stringifies submitted values via
array_map( 'strval', $value ) so they can be matched by SQL LIKE
queries. When an element of $value is itself an array (which can be
submitted via crafted POST input such as acf[field_key][0][]=x), this
raises an "Array to string conversion" warning.

Stringify only scalar elements and coerce non-scalar elements to an
empty string. Normal scalar arrays of values are unaffected. The
checkbox field delegates to this method, so it is covered by the same
guard.

This file is upstream-derived; the same guard applies upstream.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
---
 includes/fields/class-acf-field-select.php | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/includes/fields/class-acf-field-select.php b/includes/fields/class-acf-field-select.php
index 5154018a..fe5f1792 100644
--- a/includes/fields/class-acf-field-select.php
+++ b/includes/fields/class-acf-field-select.php
@@ -575,8 +575,14 @@ public function update_value( $value, $post_id, $field ) {
 
 			// Format array of values.
 			// - Parse each value as string for SQL LIKE queries.
+			// - Guard against nested arrays (e.g. crafted POST input) by stringifying scalars only.
 			if ( is_array( $value ) ) {
-				$value = array_map( 'strval', $value );
+				$value = array_map(
+					static function ( $v ) {
+						return is_scalar( $v ) ? strval( $v ) : '';
+					},
+					$value
+				);
 			}
 
 			// Save custom options back to the field definition if configured.

From e2f08bc38ba9df1faf5aa2382be531fe329ad3ff Mon Sep 17 00:00:00 2001
From: Carlos Bravo <37012961+cbravobernal@users.noreply.github.com>
Date: Fri, 12 Jun 2026 12:20:15 +0200
Subject: [PATCH 2/2] Add regression test for select update_value nested-array
 values

Calls update_value with a nested-array value (an element that is itself
an array, as produced by crafted POST input) and asserts no
"Array to string conversion" warning is emitted and only scalar strings
are stored. PHPUnit is configured with convertWarningsToExceptions, so
the warning surfaces as a test failure against the unpatched code.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
---
 .../fields/test-class-acf-field-select.php    | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/tests/php/includes/fields/test-class-acf-field-select.php b/tests/php/includes/fields/test-class-acf-field-select.php
index 106b7969..ed258dcc 100644
--- a/tests/php/includes/fields/test-class-acf-field-select.php
+++ b/tests/php/includes/fields/test-class-acf-field-select.php
@@ -202,6 +202,31 @@ public function test_update_value_converts_to_strings() {
 		$this->assertContains( 'blue', $result );
 	}
 
+	/**
+	 * Test update_value handles a nested-array value without emitting
+	 * an "Array to string conversion" warning.
+	 *
+	 * A crafted POST such as acf[field_key][0][]=x produces a value where an
+	 * element is itself an array. update_value stringifies submitted values, and
+	 * array_map( 'strval', ... ) on such input triggers a PHP warning. The field
+	 * should handle this gracefully rather than emit the diagnostic.
+	 *
+	 * PHPUnit is configured with convertWarningsToExceptions, so an
+	 * "Array to string conversion" warning would surface as a test failure.
+	 */
+	public function test_update_value_nested_array() {
+		$field = $this->get_field( array( 'multiple' => 1 ) );
+
+		$result = $this->field_instance->update_value( array( array( 'x' ) ), $this->post_id, $field );
+
+		$this->assertIsArray( $result );
+
+		// Every stored value must be a scalar string; nested arrays must not leak through.
+		foreach ( $result as $stored ) {
+			$this->assertIsString( $stored );
+		}
+	}
+
 	/**
 	 * Test get_rest_schema returns valid schema.
 	 */