GMap Targeting – Simple Targeting Inside Google Maps Security & Risk Analysis

The gmap-targeting plugin v1.1.8 exhibits a mixed security posture. While it demonstrates good practices by utilizing prepared statements for all SQL queries and includes nonce and capability checks on its single AJAX entry point, significant concerns arise from its output escaping and historical vulnerability data. Only 3% of outputs are properly escaped, suggesting a high risk of Cross-Site Scripting (XSS) vulnerabilities, especially given the plugin's history of XSS CVEs. The presence of file operations and external HTTP requests, without explicit mention of sanitization in the static analysis, also warrants caution.

The vulnerability history is a major red flag. The plugin has a past of two high-severity CVEs, including Cross-Site Scripting and PHP Remote File Inclusion, with the most recent recorded vulnerability in 2026. Although currently unpatched CVEs are reported as 0, the recurrence of critical vulnerability types and the relatively recent past vulnerability indicate potential for future exploitable flaws. This history, coupled with the poor output escaping, creates a significant risk profile.

In conclusion, while the plugin has made some positive strides in secure coding practices like prepared statements and basic authentication checks, the pervasive lack of output escaping and the history of severe vulnerabilities, particularly PHP Remote File Inclusion and XSS, present a substantial security risk. Users should be extremely cautious and ensure the plugin is updated to the latest version, as the historical data suggests a pattern of exploitable weaknesses.