MapGeo – Interactive Geo Maps Security & Risk Analysis

The "interactive-geo-maps" plugin version 1.6.28 exhibits a mixed security posture. On the positive side, the static analysis reveals a strong adherence to secure coding practices, with no dangerous functions identified, all SQL queries utilizing prepared statements, and a high percentage of output properly escaped. The presence of a nonce check and a lack of identified unsanitized paths in taint analysis are also encouraging signs. However, the absence of capability checks on its entry points (AJAX handlers and shortcodes) is a notable concern. This means that any user, regardless of their role or permissions, could potentially interact with these plugin functionalities. The vulnerability history, while showing no currently unpatched CVEs, indicates a past prevalence of Cross-site Scripting (XSS) vulnerabilities, with three medium-severity issues on record. This history, combined with the lack of capability checks, suggests a potential for privilege escalation or unauthorized data manipulation if an attacker can leverage an XSS vector or directly call the unprotected entry points.