Does Store Locator WordPress have any unpatched vulnerabilities?

No. All known vulnerabilities in Store Locator WordPress have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Store Locator WordPress compatible with WordPress 6.9.4?

According to WordPress.org data, Store Locator WordPress 1.6.5 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is Store Locator WordPress updated?

Store Locator WordPress was last updated on Feb 17, 2026. Frequent updates are generally a positive security signal.

What is Store Locator WordPress's security score?

Store Locator WordPress has a WP-Safety security score of 89/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Store Locator WordPress Security & Risk Analysis

wordpress.org/plugins/agile-store-locator

Agile Store Locator is a premium store finder plugin designed to offer you immediate access to all the best stores in your local area.

10K active installs v1.6.5 PHP + WP 3.3.2+ Updated Feb 17, 2026

directionsgoogle-mapslocation-finderstore-finderstore-locator

A · Safe

CVEs total8

Unpatched0

Last CVEDec 14, 2025

Plugin page Download

Safety Verdict

Is Store Locator WordPress Safe to Use in 2026?

Generally Safe

Score 89/100

Store Locator WordPress has a strong security track record. Known vulnerabilities have been patched promptly.

8 known CVEsLast CVE: Dec 14, 2025Updated 1mo ago

Risk Assessment

The agile-store-locator plugin v1.6.5 exhibits a mixed security posture. While the code signals indicate the absence of dangerous functions and a significant portion of SQL queries using prepared statements, there are considerable concerns regarding input sanitization and attack surface exposure. The static analysis reveals 2 out of 9 total entry points, including AJAX handlers, are not protected by authentication checks, posing a significant risk for unauthorized actions. Furthermore, the taint analysis highlights a concerning 41 flows with unsanitized paths, with 28 of them classified as High severity, directly indicating potential for serious vulnerabilities. The presence of 26 file operations without more context on their sanitization is also a potential area of concern.

The vulnerability history of this plugin is a significant red flag. With a total of 8 known CVEs, including 2 high-severity ones, and a recent vulnerability recorded in 2025, it indicates a recurring pattern of security weaknesses. The common vulnerability types, such as SQL Injection, Path Traversal, and Cross-Site Scripting, align with the concerns raised by the taint analysis and unprotected entry points. While there are currently no unpatched CVEs, the past history suggests a higher likelihood of future vulnerabilities if the underlying coding practices are not addressed. The plugin's reliance on the DataTables library also warrants attention, as outdated bundled libraries can introduce vulnerabilities if not kept up-to-date.

In conclusion, while the plugin demonstrates some good practices like utilizing prepared statements for SQL queries, the significant number of unsanitized taint flows, unprotected entry points, and a history of multiple high-severity vulnerabilities paint a picture of a plugin that requires immediate attention. The sheer volume of high-severity unsanitized flows and the lack of proper authorization on crucial entry points are the most critical immediate risks. The historical trend of vulnerabilities suggests ongoing security challenges that need to be proactively addressed to improve the plugin's overall security posture.

Key Concerns

Unprotected AJAX handlers
High severity unsanitized taint flows (28)
Unsanitized paths in all analyzed flows (41)
High severity vulnerabilities in history (2)
Low percentage of properly escaped output
Bundled library (DataTables)
Limited nonce checks

Vulnerabilities

Store Locator WordPress Security Vulnerabilities

CVEs by Year

2 CVEs in 2022

2022

3 CVEs in 2023

2023

3 CVEs in 2025

2025

Patched Has unpatched

Severity Breakdown

High

Medium

8 total CVEs

CVE-2025-67516medium · 6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Store Locator WordPress <= 1.6.2 - Authenticated (Contributor+) SQL Injection

Dec 14, 2025 Patched in 1.6.3 (6d)

CVE-2025-49329high · 7.2Unrestricted Upload of File with Dangerous Type

Store Locator WordPress <= 1.5.2 - Authenticated (Admin+) Arbitrary File Upload

Jun 5, 2025 Patched in 1.5.3 (6d)

CVE-2025-49328medium · 4.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Store Locator WordPress <= 1.5.1 - Authenticated (Administrator+) SQL Injection

Jun 5, 2025 Patched in 1.5.2 (6d)

CVE-2023-50885medium · 6.6Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Store Locator WordPress <= 1.4.14 - Authenticated(Administrator+) Directory Traversal to Arbitrary File Deletion

Dec 26, 2023 Patched in 1.4.15 (28d)

CVE-2023-4151medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Store Locator WordPress <= 1.4.12 - Reflected Cross-Site Scripting via 'asl-nounce'

Aug 10, 2023 Patched in 1.4.13 (166d)

CVE-2023-27618medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Store Locator WordPress <= 1.4.9 - Authenticated (Editor+) Stored Cross-Site Scripting via 'category_name', 'description', 'description_2' parameters

Mar 20, 2023 Patched in 1.4.10 (309d)

CVE-2022-4832medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Store Locator WordPress <= 1.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Dec 24, 2022 Patched in 1.4.9 (395d)

CVE-2022-41615high · 8.8Cross-Site Request Forgery (CSRF)

Store Locator WordPress <= 1.4.5 - Cross-Site Request Forgery to Cross-Site Scripting

Sep 28, 2022 Patched in 1.4.6 (482d)

Code Analysis

Analyzed Mar 16, 2026

Store Locator WordPress Code Analysis

Dangerous Functions

Raw SQL Queries

101

176 prepared

Unescaped Output

1157

430 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

DataTables

SQL Query Safety

64% prepared277 total queries

Output Escaping

27% escaped1587 total outputs

Data Flows

41 unsanitized

Data Flow Analysis

25 flows41 with unsanitized paths

remove_kml_file (includes\admin\google-map.php:114)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

2 unprotected

Store Locator WordPress Attack Surface

Entry Points9

Unprotected2

AJAX Handlers 3

authwp_ajax_asl_ajax_handlerincludes\admin\ajax-handler.php:26

authwp_ajax_asl_load_storesincludes\plugin.php:123

noprivwp_ajax_asl_load_storesincludes\plugin.php:124

Shortcodes 6

[ASL_STORELOCATOR] includes\plugin.php:362

[ASL_STORE] includes\plugin.php:363

[asl_search_widget] includes\vendors\wpbakery\search-widget.php:32

[asl_store_grid] includes\vendors\wpbakery\store-cards.php:48

[asl_store_detail] includes\vendors\wpbakery\store-detail.php:32

[asl_store_locator] includes\vendors\wpbakery\store-locator.php:32

WordPress Hooks 52

filterblock_categories_alladmin\blocks\index.php:23

actionenqueue_block_editor_assetsadmin\blocks\index.php:54

filterupload_dirincludes\admin\base.php:369

filterupload_mimesincludes\admin\google-map.php:95

actioninitincludes\admin\manager.php:85

filterquery_varsincludes\admin\manager.php:89

actionmedia_buttonsincludes\admin\manager.php:92

actionadmin_headincludes\admin\manager.php:95

actionplugins_loadedincludes\admin\manager.php:98

filterscript_loader_tagincludes\plugin.php:135

actioninitincludes\plugin.php:139

actionasl_import_cronincludes\plugin.php:153

actionasl_lead_cronincludes\plugin.php:156

actioninitincludes\plugin.php:229

actionplugins_loadedincludes\plugin.php:248

actionadmin_menuincludes\plugin.php:295

actionadmin_enqueue_scriptsincludes\plugin.php:297

actionadmin_enqueue_scriptsincludes\plugin.php:298

actionwp_enqueue_scriptsincludes\plugin.php:359

actionwp_enqueue_scriptsincludes\plugin.php:360

actioninitincludes\schema\feed.php:86

actioninitincludes\schema\feed.php:87

filterposts_pre_queryincludes\store-type.php:26

filterwpforms_entry_save_dataincludes\third-party.php:42

filterwpforms_field_properties_hiddenincludes\third-party.php:48

filterwpforms_entry_email_attsincludes\third-party.php:51

filterrank_math/sitemap/enable_cachingincludes\third-party.php:88

filterrank_math/sitemap/providersincludes\third-party.php:90

filterrank_math/frontend/titleincludes\third-party.php:95

filterrank_math/frontend/canonicalincludes\third-party.php:97

filterthe_seo_framework_meta_render_dataincludes\third-party.php:112

filterthe_seo_framework_title_from_custom_fieldincludes\third-party.php:128

actionwpcf7_before_send_mailincludes\vendors\cf7.php:42

actionelementor/widgets/widgets_registeredincludes\vendors\elementor\addon.php:41

actionelementor/frontend/after_enqueue_stylesincludes\vendors\elementor\addon.php:43

filterpre_set_site_transient_update_pluginsincludes\vendors\updater.php:31

filterplugins_apiincludes\vendors\updater.php:34

actionadmin_noticesincludes\vendors\wpbakery\search-widget.php:46

actionadmin_noticesincludes\vendors\wpbakery\store-cards.php:112

actionadmin_noticesincludes\vendors\wpbakery\store-detail.php:46

actionadmin_noticesincludes\vendors\wpbakery\store-locator.php:46

filterwpseo_sitemap_indexincludes\vendors\yoast.php:43

filterwpseo_canonicalincludes\vendors\yoast.php:44

filterwpseo_opengraph_urlincludes\vendors\yoast.php:45

filterwpseo_titleincludes\vendors\yoast.php:46

filterwpseo_opengraph_titleincludes\vendors\yoast.php:47

filterwpseo_metadescincludes\vendors\yoast.php:48

filterwpseo_opengraph_descincludes\vendors\yoast.php:49

actioninitincludes\vendors\yoast.php:50

actioninitincludes\vendors\yoast.php:51

actioninitincludes\vendors\yoast.php:52

actionwpseo_do_sitemap_asl_storesincludes\vendors\yoast.php:148

Scheduled Events 2

asl_import_cron

asl_lead_cron

Maintenance & Trust

Store Locator WordPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 17, 2026

PHP min version

Downloads224K

Community Trust

Rating98/100

Number of ratings57

Active installs10K

Alternatives

Store Locator WordPress Alternatives

WP Store Locator

wp-store-locator

An easy to use location management system that enables users to search for nearby physical stores.

50K 1 CVE

Store Locator for WordPress📍

storelocator

100

Create a store locator for your website in minutes. Add all the store locations in google sheets and embed map on your website.

1K No CVEs

PTI Store Locator

pti-store-locator

100

Display multiple store or branch locations on Google Maps with search, filters, and customizable info windows.

0 No CVEs

WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters

wp-google-map-plugin

WordPress map plugin for Google Maps, OpenStreetMap & Mapbox with store locator, filterable listings & custom markers.

60K 20 CVEs

MapPress Maps for WordPress

mappress-google-maps-for-wordpress

MapPress is the easiest way to add unlimited interactive Google and Leaflet maps to WordPress.

30K 14 CVEs

Developer Profile

Store Locator WordPress Developer Profile

Agile Logix

2 plugins · 11K total installs

trust score

Avg Security Score

94/100

Avg Patch Time

163 days

View full developer profile

Detection Fingerprints

How We Detect Store Locator WordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/agile-store-locator/assets/css/frontend.css/wp-content/plugins/agile-store-locator/assets/css/animate.min.css/wp-content/plugins/agile-store-locator/assets/js/frontend.js/wp-content/plugins/agile-store-locator/assets/js/markerclusterer.js/wp-content/plugins/agile-store-locator/assets/js/infobox.js/wp-content/plugins/agile-store-locator/assets/js/jquery.lazy.js/wp-content/plugins/agile-store-locator/assets/js/frontend-scripts.js/wp-content/plugins/agile-store-locator/assets/js/asl-map-builder.js+22 more

Script Paths

/wp-content/plugins/agile-store-locator/assets/js/frontend.js/wp-content/plugins/agile-store-locator/assets/js/markerclusterer.js/wp-content/plugins/agile-store-locator/assets/js/infobox.js/wp-content/plugins/agile-store-locator/assets/js/jquery.lazy.js/wp-content/plugins/agile-store-locator/assets/js/frontend-scripts.js/wp-content/plugins/agile-store-locator/assets/js/asl-map-builder.js+17 more

Version Parameters

agile-store-locator/style.css?ver=agile-store-locator/admin/blocks/build/index.asset.php

HTML / DOM Fingerprints

CSS Classes

asl-store-locatorasl-map-containerasl-store-detailsasl-store-listingasl-search-formasl-map-sidebarasl-loading-overlay

HTML Comments

Data Attributes

data-asl-map-iddata-asl-store-iddata-asl-search-inputdata-asl-map-config

JS Globals

ASLMapASLConfigASLFrontendasl_locator_optionsagileStoreLocator

REST Endpoints

/wp-json/asl-locator/v1/stores/wp-json/asl-locator/v1/search

Shortcode Output

[asl_store_locator][asl_search_form][asl_store_details]

FAQ