CM Map Locations – Visualize and share your locations in a few clicks Security & Risk Analysis

The "cm-map-locations" plugin version 2.1.7 presents a mixed security posture. While it demonstrates good practices such as a high percentage of SQL queries using prepared statements and a significant number of nonce and capability checks, several concerning areas warrant attention. The presence of 3 AJAX handlers without authentication checks represents a direct attack surface that could be exploited by unauthenticated users. Furthermore, the taint analysis reveals 2 high-severity flows with unsanitized paths, indicating potential for serious vulnerabilities like cross-site scripting or remote code execution if not properly handled.

The plugin's vulnerability history shows a past of 2 medium-severity CVEs, both related to Cross-site Scripting (XSS). Although there are currently no unpatched vulnerabilities, this pattern suggests a recurring susceptibility to input sanitization issues. The fact that the last vulnerability was identified in the future (2025-07-21) is likely a data anomaly but doesn't negate the historical concern. The plugin's strengths lie in its efforts towards secure SQL querying and its general implementation of security checks, but the identified gaps in AJAX endpoint protection and the critical taint flows are significant weaknesses that elevate the overall risk.

In conclusion, while "cm-map-locations" v2.1.7 has some solid security foundations, the unprotected AJAX endpoints and the high-severity unsanitized taint flows are critical risks that require immediate attention. The historical XSS vulnerabilities, even if currently patched, serve as a warning sign for developers to prioritize robust input validation and output escaping. A balanced approach would involve addressing these specific weaknesses while acknowledging the plugin's positive aspects regarding prepared statements and broader security checks.