An address format is populated with eval, without any input checks.
So if you provide an address format of say:
〒$postcode$cr$country$cr$state $city$cr$streets$cr$lastname $firstname";$x=1;echo $x."
It will output 1 to the screen.

There is no way to alter address formats without database access so in order to execute code someone would have to have the ability to modify the database. It does provide a way for someone who gains database control (SQL injection possibly) depending on settings to gain much wider server access.

Easy solution to this would just to make an array of possible address fields, loop over it and replace in the format.