The vulnerability in the Beee ACF City Selector plugin permits an unauthorized user to retrieve embedded sensitive system information from the plugin’s configuration or internal data. This is a classic data‑exposure flaw that can leak configuration details and potentially other hidden values that the plugin stores. The weakness is classified as CWE-497, indicating improper handling of sensitive data and failing to restrict access appropriately.

The affected vendor is Beee with the ACF City Selector plugin. All released versions up to and including 1.17.0 are impacted, as the vulnerability description indicates a range from the first release through 1.17.0. Users who have not upgraded beyond that version should verify whether a newer release is available or if the plugin is still installed.

The CVSS score of 5.3 places this issue in the medium severity band. While the EPSS score is less than 1%, indicating low probability of exploitation in the wild, the lack of a KEV listing does not remove the risk of data leakage to attackers who can discover the plugin. The likely attack vector is via the web interface where the plugin is active, possibly requiring only authenticated user privileges or no authentication if the plugin exposes data to all users. An attacker gains read‑only access to sensitive configuration data, compromising confidentiality.