WP-Safety

Geo Mashup Security & Risk Analysis

wordpress.org/plugins/geo-mashup

Include Google and OpenStreetMap maps in posts and pages, and map posts, pages, and other objects on global maps. Make WordPress into a GeoCMS.

2K active installs v1.13.18 PHP + WP 3.7+ Updated Feb 15, 2026
geogeocmsgoogle-mapsmappingmaps
89
A · Safe
CVEs total6
Unpatched0
Last CVEFeb 24, 2026
Plugin page Download
Safety Verdict

Is Geo Mashup Safe to Use in 2026?

Generally Safe

Score 89/100

Geo Mashup has a strong security track record. Known vulnerabilities have been patched promptly.

6 known CVEsLast CVE: Feb 24, 2026Updated 1mo ago
Risk Assessment

The geo-mashup v1.13.18 plugin exhibits a mixed security posture. While it demonstrates good practices such as a high percentage of prepared SQL statements and a significant number of output escaping instances, several concerning areas are present. The static analysis reveals a substantial attack surface with 7 AJAX handlers lacking authentication checks, presenting a direct pathway for potential unauthorized actions. Furthermore, the presence of the `unserialize` function is a significant risk, as it can lead to object injection vulnerabilities if not handled with extreme caution and validation. The taint analysis, while showing no critical or high severity flows, did identify 5 flows with unsanitized paths, suggesting potential for subtle vulnerabilities.

The vulnerability history of this plugin is a major concern, with a total of 6 known CVEs, including 2 high-severity and 4 medium-severity vulnerabilities. The types of past vulnerabilities – SQL Injection, PHP Remote File Inclusion, and Cross-site Scripting – are common and critical attack vectors. The fact that there are currently no unpatched CVEs is positive, but the historical pattern indicates a recurring tendency for exploitable flaws. The bundled Freemius library v1.0, while not explicitly flagged as outdated, could be a potential vector if it contains known vulnerabilities not reflected in the plugin's direct CVE history.

In conclusion, the geo-mashup plugin has areas of strength in its handling of SQL queries and output escaping. However, the significant number of unprotected AJAX endpoints, the presence of `unserialize`, and a history of serious vulnerabilities (SQLi, RFI, XSS) are substantial risks. The taint analysis also flags potential for unsanitized input. The overall security posture is weakened by these factors, and users should be aware of the potential for exploitation, especially given the plugin's past. Vigilance and prompt updates are crucial.

Key Concerns

  • Unprotected AJAX handlers
  • Dangerous function 'unserialize'
  • Flows with unsanitized paths
  • High severity vulnerability history (2 high)
  • Medium severity vulnerability history (4 medium)
  • Bundled outdated library (Freemius v1.0)
Vulnerabilities
6

Geo Mashup Security Vulnerabilities

CVEs by Year

1 CVE in 2015
2015
1 CVE in 2018
2018
2 CVEs in 2024
2024
1 CVE in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

High
2
Medium
4

6 total CVEs

CVE-2026-2416high · 7.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Geo Mashup <= 1.13.17 - Unauthenticated SQL Injection via 'sort' Parameter

Feb 24, 2026 Patched in 1.13.18 (1d)
CVE-2025-48293high · 8.1Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Geo Mashup <= 1.13.16 - Unauthenticated Local File Inclusion

Jul 25, 2025 Patched in 1.13.17 (63d)
CVE-2024-8990medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Geo Mashup <= 1.13.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via geo_mashup_visible_posts_list Shortcode

Sep 30, 2024 Patched in 1.13.14 (1d)
CVE-2024-44008medium · 6.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Geo Mashup <= 1.13.12 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 16, 2024 Patched in 1.13.13 (19d)
CVE-2018-14071medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Geo Mashup - < 1.10.4 - Cross-Site Scripting

Jul 16, 2018 Patched in 1.10.4 (2017d)
CVE-2015-1383medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Geo Mashup < 1.8.3 - Cross-Site Scripting

Jan 27, 2015 Patched in 1.8.3 (3283d)
Code Analysis
Analyzed Mar 16, 2026

Geo Mashup Code Analysis

Dangerous Functions
1
Raw SQL Queries
7
44 prepared
Unescaped Output
122
286 escaped
Nonce Checks
5
Capability Checks
2
File Operations
0
External Requests
0
Bundled Libraries
1

Dangerous Functions Found

unserialize$this->init_data = defined( 'GEO_MASHUP_FREEMIUS_INIT' ) ? unserialize( GEO_MASHUP_FREEMIUS_INIT ) :freemius.php:75

Bundled Libraries

Freemius1.0

SQL Query Safety

86% prepared51 total queries

Output Escaping

70% escaped408 total outputs
Data Flows
5 unsanitized

Data Flow Analysis

7 flows5 with unsanitized paths
print_form (geo-mashup-ui-managers.php:474)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
7 unprotected

Geo Mashup Attack Surface

Entry Points22
Unprotected7

AJAX Handlers 7

noprivwp_ajax_geo_mashup_editgeo-mashup-ui-managers.php:602
authwp_ajax_geo_mashup_editgeo-mashup-ui-managers.php:603
authwp_ajax_geo_mashup_querygeo-mashup.php:182
noprivwp_ajax_geo_mashup_querygeo-mashup.php:183
authwp_ajax_geo_mashup_kml_attachmentsgeo-mashup.php:184
noprivwp_ajax_geo_mashup_kml_attachmentsgeo-mashup.php:185
authwp_ajax_geo_mashup_suggest_custom_keysgeo-mashup.php:186

Shortcodes 15

[geo_mashup_save_location] geo-mashup-ui-managers.php:754
[geo_mashup_map] shortcodes.php:8
[geo_mashup_show_on_map_link] shortcodes.php:9
[geo_mashup_show_on_map_link_url] shortcodes.php:10
[geo_mashup_full_post] shortcodes.php:11
[geo_mashup_category_name] shortcodes.php:12
[geo_mashup_category_legend] shortcodes.php:13
[geo_mashup_term_legend] shortcodes.php:14
[geo_mashup_list_located_posts] shortcodes.php:15
[geo_mashup_list_located_posts_by_area] shortcodes.php:16
[geo_mashup_tabbed_category_index] shortcodes.php:17
[geo_mashup_tabbed_term_index] shortcodes.php:18
[geo_mashup_visible_posts_list] shortcodes.php:19
[geo_mashup_location_info] shortcodes.php:20
[geo_mashup_nearby_list] shortcodes.php:21
WordPress Hooks 82
filterthe_contentdefault-templates\info-window-max.php:16
filterpost_thumbnail_sizedefault-templates\info-window.php:16
filterthe_excerptdefault-templates\info-window.php:19
actionafter_license_changefreemius.php:83
actionafter_account_deletefreemius.php:85
actionafter_uninstallfreemius.php:87
filterquery_varsgeo-mashup-db.php:55
filterposts_fieldsgeo-mashup-db.php:56
filterposts_joingeo-mashup-db.php:57
filterposts_wheregeo-mashup-db.php:58
actionparse_querygeo-mashup-db.php:59
actiondelete_postgeo-mashup-db.php:66
actiondelete_commentgeo-mashup-db.php:67
actiondelete_usergeo-mashup-db.php:68
filterupdate_post_metadatageo-mashup-db.php:80
actionadded_post_metageo-mashup-db.php:81
actionupdated_post_metageo-mashup-db.php:82
filterupdate_user_metadatageo-mashup-db.php:83
actionadded_user_metageo-mashup-db.php:84
actionupdated_user_metageo-mashup-db.php:85
filterupdate_comment_metadatageo-mashup-db.php:86
actionadded_comment_metageo-mashup-db.php:87
actionupdated_comment_metageo-mashup-db.php:88
actionadded_postmetageo-mashup-db.php:90
actionupdated_postmetageo-mashup-db.php:91
actiongeo_mashup_added_object_locationgeo-mashup-db.php:93
actiongeo_mashup_updated_object_locationgeo-mashup-db.php:94
actioninitgeo-mashup-ui-managers.php:429
actionshow_user_profilegeo-mashup-ui-managers.php:456
actionedit_user_profilegeo-mashup-ui-managers.php:457
actionpersonal_options_updategeo-mashup-ui-managers.php:461
actionedit_user_profile_updategeo-mashup-ui-managers.php:462
actioninitgeo-mashup-ui-managers.php:570
filterupload_mimesgeo-mashup-ui-managers.php:588
filtercontent_save_pregeo-mashup-ui-managers.php:593
actionsave_postgeo-mashup-ui-managers.php:596
filterwp_handle_uploadgeo-mashup-ui-managers.php:599
actionadmin_menugeo-mashup-ui-managers.php:606
actionadmin_enqueue_scriptsgeo-mashup-ui-managers.php:609
actionwp_enqueue_scriptsgeo-mashup-ui-managers.php:610
filtermedia_metageo-mashup-ui-managers.php:615
actionadmin_print_scriptsgeo-mashup-ui-managers.php:620
actioninitgeo-mashup-ui-managers.php:923
actioncomment_formgeo-mashup-ui-managers.php:946
actionwp_footergeo-mashup-ui-managers.php:949
actioncomment_postgeo-mashup-ui-managers.php:952
actionwpml_loadedgeo-mashup.php:160
actioninitgeo-mashup.php:176
actionwp_scheduled_deletegeo-mashup.php:177
actionplugins_loadedgeo-mashup.php:179
actionplugins_loadedgeo-mashup.php:180
actionrest_api_initgeo-mashup.php:188
actionadmin_menugeo-mashup.php:196
actionadmin_noticesgeo-mashup.php:199
filterplugin_action_linksgeo-mashup.php:202
filterplugin_row_metageo-mashup.php:203
actionadmin_enqueue_scriptsgeo-mashup.php:206
filterlist_catsgeo-mashup.php:214
actionwp_headgeo-mashup.php:218
actionwp_footergeo-mashup.php:221
filterwidget_textgeo-mashup.php:225
actionrss2_nsgeo-mashup.php:229
actionatom_nsgeo-mashup.php:230
actionrss2_nsgeo-mashup.php:231
actionatom_nsgeo-mashup.php:232
actionrss2_itemgeo-mashup.php:235
actionatom_entrygeo-mashup.php:236
filterquery_varsgeo-mashup.php:239
actiontemplate_redirectgeo-mashup.php:240
actionwidgets_initphp\Hooks\RegisterSearchWidget.php:8
actiongeo_mashup_render_mapphp\Hooks\RenderSearchMap.php:25
filterthe_contentphp\Hooks\SearchResults.php:11
filterthe_contentphp\Hooks\SearchResults.php:52
actionparse_querypost-query.php:8
filterposts_clausespost-query.php:9
actiongeo_mashup_render_mapsnazzy-maps.php:15
filtergeo_mashup_get_language_codewpml.php:17
filtergeo_mashup_locations_joinwpml.php:18
filtergeo_mashup_locations_wherewpml.php:19
filtergeo_mashup_results_page_idwpml.php:20
filterwpml_duplicate_generic_stringwpml.php:21
actionicl_make_duplicatewpml.php:115
Maintenance & Trust

Geo Mashup Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 15, 2026
PHP min version
Downloads247K

Community Trust

Rating94/100
Number of ratings33
Active installs2K
Alternatives

Geo Mashup Alternatives

Map My Posts

Map My Posts

map-my-posts

A
85

Map My Posts allows you to display a Google Map or Geochart visualization, associating map locations with your existing categories or tags.

200 No CVEs
Basic Google Maps Placemarks

Basic Google Maps Placemarks

basic-google-maps-placemarks

A
85

Embeds a Google Map into your site and lets you add map markers with custom icons and information windows.

3K No CVEs
Pronamic Google Maps

Pronamic Google Maps

pronamic-google-maps

A
98

This plugin makes it easy to add Google Maps to your WordPress post, pages or other custom post types.

1K 2 CVEs
Track Geolocation Of Users Using Contact Form 7

Track Geolocation Of Users Using Contact Form 7

track-geolocation-of-users-using-contact-form-7

A
100

Track Geolocation Of Users Using Contact Form 7 allows you to get geolocation information with their form submission.

800 1 CVE
MapifyLite (by MapifyPro)

MapifyLite (by MapifyPro)

mapifylite

A
100

MapifyLite is an elite plugin for WordPress that implements fully-customized maps on your site.

300 1 CVE
Developer Profile

Geo Mashup Developer Profile

Dylan Kuhn

2 plugins · 2K total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
897 days
View full developer profile
Detection Fingerprints

How We Detect Geo Mashup

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/geo-mashup/js/admin.js/wp-content/plugins/geo-mashup/css/admin.css/wp-content/plugins/geo-mashup/js/geo-mashup.js/wp-content/plugins/geo-mashup/js/geo-mashup-map.js/wp-content/plugins/geo-mashup/js/marker-icon.js/wp-content/plugins/geo-mashup/js/marker-icon-static.js/wp-content/plugins/geo-mashup/css/geo-mashup.css
Script Paths
/wp-content/plugins/geo-mashup/js/admin.js/wp-content/plugins/geo-mashup/js/geo-mashup.js/wp-content/plugins/geo-mashup/js/geo-mashup-map.js/wp-content/plugins/geo-mashup/js/marker-icon.js/wp-content/plugins/geo-mashup/js/marker-icon-static.js
Version Parameters
geo-mashup/css/admin.css?ver=geo-mashup/js/admin.js?ver=geo-mashup/js/geo-mashup.js?ver=geo-mashup/js/geo-mashup-map.js?ver=geo-mashup/js/marker-icon.js?ver=geo-mashup/js/marker-icon-static.js?ver=geo-mashup/css/geo-mashup.css?ver=

HTML / DOM Fingerprints

CSS Classes
geo-mashup-map-containergeo-mashup-mapgeo-mashup-loading
HTML Comments
<!-- Geo Mashup --><div class="geo-mashup-map-container"<!-- Geo Mashup --><div class="geo-mashup-map"
Data Attributes
data-geo-mashup-map-iddata-geo-mashup-map-options
JS Globals
GeoMashupGeoMashupMapGeoMashupMapWidgetGeoMashupMarkerIconGeoMashupMarkerIconStatic
REST Endpoints
/wp-json/geo-mashup/v1
Shortcode Output
[geo_mashup][geo_mashup_filter][geo_mashup_search][geo_mashup_post_list]
FAQ

Frequently Asked Questions about Geo Mashup