Guard select field update_value against nested-array values

includes/fields/class-acf-field-select.php

@@ -575,8 +575,14 @@ public function update_value( $value, $post_id, $field ) {
 
 			// Format array of values.
 			// - Parse each value as string for SQL LIKE queries.
+			// - Guard against nested arrays (e.g. crafted POST input) by stringifying scalars only.
 			if ( is_array( $value ) ) {
-				$value = array_map( 'strval', $value );
+				$value = array_map(
+					static function ( $v ) {
+						return is_scalar( $v ) ? strval( $v ) : '';
+					},
+					$value
+				);
 			}
 
 			// Save custom options back to the field definition if configured.

tests/php/includes/fields/test-class-acf-field-select.php

@@ -202,6 +202,31 @@ public function test_update_value_converts_to_strings() {
 		$this->assertContains( 'blue', $result );
 	}
 
+	/**
+	 * Test update_value handles a nested-array value without emitting
+	 * an "Array to string conversion" warning.
+	 *
+	 * A crafted POST such as acf[field_key][0][]=x produces a value where an
+	 * element is itself an array. update_value stringifies submitted values, and
+	 * array_map( 'strval', ... ) on such input triggers a PHP warning. The field
+	 * should handle this gracefully rather than emit the diagnostic.
+	 *
+	 * PHPUnit is configured with convertWarningsToExceptions, so an
+	 * "Array to string conversion" warning would surface as a test failure.
+	 */
+	public function test_update_value_nested_array() {
+		$field = $this->get_field( array( 'multiple' => 1 ) );
+
+		$result = $this->field_instance->update_value( array( array( 'x' ) ), $this->post_id, $field );
+
+		$this->assertIsArray( $result );
+
+		// Every stored value must be a scalar string; nested arrays must not leak through.
+		foreach ( $result as $stored ) {
+			$this->assertIsString( $stored );
+		}
+	}
+
 	/**
 	 * Test get_rest_schema returns valid schema.
 	 */