Does Instant Locations have any unpatched vulnerabilities?

Yes — Instant Locations currently has 1 published unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Instant Locations compatible with WordPress 4.5.33?

According to WordPress.org data, Instant Locations 1.0 has been tested up to WordPress 4.5.33. Check the plugin's changelog for the latest compatibility information.

How often is Instant Locations updated?

Instant Locations was last updated on Apr 21, 2016. Frequent updates are generally a positive security signal.

What is Instant Locations's security score?

Instant Locations has a WP-Safety security score of 63/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Instant Locations Security & Risk Analysis

wordpress.org/plugins/instant-locations

Instant & Auto populate location data with the power of Google Maps API.

10 active installs v1.0 PHP + WP 3.9+ Updated Apr 21, 2016

advanced-searchgeogooglepostposts

C · Use Caution

CVEs total1

Unpatched1

Last CVESep 5, 2025

Plugin page Download

Safety Verdict

Is Instant Locations Safe to Use in 2026?

Use With Caution

Score 63/100

Instant Locations has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Sep 5, 2025Updated 10yr ago

Risk Assessment

The 'instant-locations' plugin v1.0 exhibits a mixed security posture. While it demonstrates good practices such as using prepared statements for all SQL queries and implementing at least one nonce and capability check, several concerning signals are present. The static analysis reveals that a significant portion of output (83%) is not properly escaped, indicating a potential for Cross-Site Scripting (XSS) vulnerabilities. This is further supported by the taint analysis, which identified two flows with unsanitized paths, although they were not classified as critical or high severity. The vulnerability history is a significant concern, with one unpatched medium severity CVE related to XSS. The recent nature of this vulnerability (2025-09-05) suggests a recurring pattern of input sanitization issues. In conclusion, while the plugin has some positive security attributes, the high rate of unescaped output and the presence of an unpatched XSS vulnerability necessitate careful consideration and remediation.

Key Concerns

Unpatched Medium Severity CVE (XSS)
High percentage of unescaped output (83%)
Taint analysis found unsanitized paths (2)

Vulnerabilities

1 published

Instant Locations Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-58886medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Instant Locations <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Sep 5, 2025Unpatched

Version History

Instant Locations Release Timeline

v1.0Current1 CVE

CVE-2025-58886

Code Analysis

Analyzed Mar 17, 2026

Instant Locations Code Analysis

Dangerous Functions

Raw SQL Queries

4 prepared

Unescaped Output

1 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared4 total queries

Output Escaping

17% escaped6 total outputs

Data Flows · Security

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

admin_init (inc\class-il-settings.php:42)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Instant Locations Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 9

actionadmin_enqueue_scriptsinc\class-il-main.php:17

actionplugins_loadedinc\class-il-main.php:20

actionplugins_loadedinc\class-il-main.php:23

actionload-post.phpinc\class-il-meta-box.php:13

actionload-post-new.phpinc\class-il-meta-box.php:14

actionadd_meta_boxesinc\class-il-meta-box.php:23

actionsave_postinc\class-il-meta-box.php:25

actionadmin_menuinc\class-il-settings.php:16

actionadmin_initinc\class-il-settings.php:18

Maintenance & Trust

Instant Locations Maintenance & Trust

Maintenance Signals

WordPress version tested4.5.33

Last updatedApr 21, 2016

PHP min version

Downloads2K

Community Trust

Rating0/100

Number of ratings0

Active installs10

Alternatives

Instant Locations Alternatives

Geolocate My Posts

geolocate-my-posts

A Wordpress plugin that tags the location of your posts using the Google Maps API.

10 No CVEs

Store Locator for WordPress Posts

wp-post-store-locator

This is a wordpress store locator plugin for posts. We can setup stores for individual posts/products.

0 No CVEs

VK All in One Expansion Unit

vk-all-in-one-expansion-unit

This plug-in is an integrated plug-in with a variety of features that make it powerful your web site.

100K 11 CVEs

Sitemap by BestWebSoft – WordPress XML Site Map Page Generator Plugin

google-sitemap-plugin

100

Generate and add XML sitemap to WordPress website. Help search engines index your blog.

20K 1 CVE

Saitama Addon Pack

cc-addon-pack

This plug-in is an integrated plug-in with a variety of features that make it powerful your web site.

1K No CVEs

Developer Profile

Instant Locations Developer Profile

Tan Nguyen

2 plugins · 20 total installs

trust score

Avg Security Score

74/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Instant Locations

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/instant-locations/assets/css/instant-locations.css/wp-content/plugins/instant-locations/assets/js/instant-locations.js

Script Paths

https://maps.googleapis.com/maps/api/js?libraries=places

Version Parameters

instant-locations/assets/css/instant-locations.css?ver=instant-locations/assets/js/instant-locations.js?ver=https://maps.googleapis.com/maps/api/js?libraries=places&key=https://maps.googleapis.com/maps/api/js?libraries=places

HTML / DOM Fingerprints

CSS Classes

form-grouprowform-labelcolumndashicons-location-alt

Data Attributes

id="form-group-address"id="address"name="location[address]"id="country"name="location[country]"id="administrative_area_level_1"+21 more

JS Globals

geo_config

FAQ