WP-Safety

IP Locator Security & Risk Analysis

wordpress.org/plugins/ip-locator

Country and language IP-based detection for WordPress. Fast, reliable, plug & play.

600 active installs v4.3.0 PHP 8.1+ WP 6.2+ Updated Nov 22, 2025
countryflaggeolocationlanguage
99
A · Safe
CVEs total1
Unpatched0
Last CVEMar 27, 2025
Plugin page Download
Safety Verdict

Is IP Locator Safe to Use in 2026?

Generally Safe

Score 99/100

IP Locator has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Mar 27, 2025Updated 4mo ago
Risk Assessment

The ip-locator v4.3.0 plugin presents a mixed security posture. While it demonstrates good practices in areas like SQL query sanitization and the absence of dangerous functions, several significant concerns warrant attention. The static analysis reveals a notable attack surface with multiple AJAX handlers lacking proper authentication checks, creating potential entry points for unauthorized actions. Furthermore, the output escaping is only 50% proper, indicating a risk of Cross-Site Scripting (XSS) vulnerabilities where user-supplied data might be rendered insecurely. The vulnerability history, although showing no currently unpatched vulnerabilities, includes a past medium-severity XSS vulnerability, which aligns with the output escaping concerns. This pattern suggests a recurring weakness in handling user input for output. Overall, the plugin has strengths in its SQL handling, but the open AJAX endpoints and imperfect output sanitization are key weaknesses that require remediation to improve its security.

Key Concerns

  • Unprotected AJAX handlers
  • Improper output escaping
  • Past medium severity vulnerability (XSS)
Vulnerabilities
1

IP Locator Security Vulnerabilities

CVEs by Year

1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-30826medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

IP Locator <= 4.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Mar 27, 2025 Patched in 4.2.0 (7d)
Code Analysis
Analyzed Mar 16, 2026

IP Locator Code Analysis

Dangerous Functions
0
Raw SQL Queries
4
31 prepared
Unescaped Output
48
48 escaped
Nonce Checks
7
Capability Checks
2
File Operations
15
External Requests
6
Bundled Libraries
0

SQL Query Safety

89% prepared35 total queries

Output Escaping

50% escaped96 total outputs
Attack Surface
2 unprotected

IP Locator Attack Surface

Entry Points13
Unprotected2

AJAX Handlers 3

authwp_ajax_hide_iplocator_nagincludes\plugin\class-core.php:111
authwp_ajax_iplocator_get_statsincludes\plugin\class-core.php:112
authwp_ajax_poo_switch_autoupdateperfopsone\functions.php:32

Shortcodes 10

[iplocator-wpcli] includes\features\class-wpcli.php:505
[iplocator-changelog] includes\plugin\class-core.php:83
[iplocator-libraries] includes\plugin\class-core.php:84
[iplocator-shortcodes] includes\plugin\class-core.php:85
[iplocator-ip] includes\plugin\class-core.php:129
[iplocator-code] includes\plugin\class-core.php:130
[iplocator-country] includes\plugin\class-core.php:131
[iplocator-flag] includes\plugin\class-core.php:132
[iplocator-lang] includes\plugin\class-core.php:133
[iplocator-if] includes\plugin\class-core.php:134
WordPress Hooks 35
filterinit_perfopsone_admin_menusadmin\class-ip-locator-admin.php:165
filterbody_classincludes\features\class-cssmodifier.php:99
filteradmin_body_classincludes\features\class-cssmodifier.php:101
actionshutdownincludes\features\class-schema.php:79
filterperfopsone_plugin_infoincludes\plugin\class-core.php:79
actioninitincludes\plugin\class-core.php:80
actioninitincludes\plugin\class-core.php:81
actionwp_headincludes\plugin\class-core.php:82
actionrest_api_initincludes\plugin\class-core.php:89
actionadmin_enqueue_scriptsincludes\plugin\class-core.php:102
actionadmin_enqueue_scriptsincludes\plugin\class-core.php:103
actionadmin_menuincludes\plugin\class-core.php:104
actionadmin_menuincludes\plugin\class-core.php:105
actionadmin_menuincludes\plugin\class-core.php:106
actionadmin_initincludes\plugin\class-core.php:107
filterplugin_row_metaincludes\plugin\class-core.php:109
actionadmin_noticesincludes\plugin\class-core.php:110
filtermyblogs_blog_actionsincludes\plugin\class-core.php:113
filtermanage_sites_action_linksincludes\plugin\class-core.php:114
actionwp_enqueue_scriptsincludes\plugin\class-core.php:126
actionwp_enqueue_scriptsincludes\plugin\class-core.php:127
actionip-locator-update-v4includes\plugin\class-initializer.php:63
actionip-locator-update-v6includes\plugin\class-initializer.php:64
filterplugins_apiincludes\plugin\class-updater.php:67
filtersite_transient_update_pluginsincludes\plugin\class-updater.php:68
actionupgrader_process_completeincludes\plugin\class-updater.php:69
filterclean_urlincludes\plugin\class-updater.php:70
filterperfopsone_apcu_infoincludes\system\class-apcu.php:51
filtersite_status_testsincludes\system\class-sitehealth.php:77
filtersite_status_testsincludes\system\class-sitehealth.php:78
filtersite_status_testsincludes\system\class-sitehealth.php:79
filtersite_status_testsincludes\system\class-sitehealth.php:81
filterdebug_informationincludes\system\class-sitehealth.php:91
filterdebug_informationincludes\system\class-sitehealth.php:109
actionadmin_bar_menuperfopsone\class-adminbar.php:54
Maintenance & Trust

IP Locator Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedNov 22, 2025
PHP min version8.1
Downloads20K

Community Trust

Rating100/100
Number of ratings1
Active installs600
Alternatives

IP Locator Alternatives

Price Based on Country for WooCommerce

Price Based on Country for WooCommerce

woocommerce-product-price-based-on-countries

A
100

Product Pricing and Currency based on Shopper's Country for WooCommerce with multi-currency support and geolocation to boost international sales.

20K No CVEs
IP Location Block

IP Location Block

ip-location-block

A
100

Easily block visitors by country, state or ISP provider. Also, protects your site from spam, login attempts, malicious access & more.

10K No CVEs
International Telephone Input for Contact Form 7

International Telephone Input for Contact Form 7

international-telephone-input-for-contact-form-7

A
85

Addon for Contact Form 7 that creates a new type of input for entering and validating international telephone numbers. It adds a flag dropdown, detect &hellip;

9K No CVEs
Country Based Restrictions for WooCommerce

Country Based Restrictions for WooCommerce

woo-product-country-base-restrictions

A
100

Restrict WooCommerce products by country — hide or block purchases using geolocation so only customers in allowed countries can buy.

5K No CVEs
Flag Icons

Flag Icons

language-icons-flags-switcher

C
64

Flags Icons Language Switcher.

4K 1 unpatched
Developer Profile

IP Locator Developer Profile

Pierre Lannoy

12 plugins · 15K total installs

87
trust score
Avg Security Score
99/100
Avg Patch Time
65 days
View full developer profile
Detection Fingerprints

How We Detect IP Locator

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/ip-locator/assets/css/ip-locator-admin.css/wp-content/plugins/ip-locator/assets/js/ip-locator-admin.js
Script Paths
/wp-content/plugins/ip-locator/assets/js/ip-locator-admin.js
Version Parameters
ip-locator/assets/css/ip-locator-admin.css?ver=ip-locator/assets/js/ip-locator-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
iplocator-about-logo
Data Attributes
data-iplocator-map
JS Globals
IPLOCATOR_ASSETS_IDIPLOCATOR_PRODUCT_NAMEIPLOCATOR_VERSIONIPLOCATOR_SLUG
REST Endpoints
/wp-json/iplocator/v1/location
Shortcode Output
[iplocator-libraries][iplocator-changelog][iplocator-wpcli]
FAQ

Frequently Asked Questions about IP Locator