WP-Safety

Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps) Security & Risk Analysis

wordpress.org/plugins/leaflet-maps-marker

The most comprehensive & user-friendly mapping solution for WordPress

10K active installs v3.12.10 PHP 5.3+ WP 3.3+ Updated Dec 5, 2025
binggoogle-mapsgooglemapsmapopenstreetmap
94
A · Safe
CVEs total6
Unpatched0
Last CVEJul 19, 2024
Plugin page Download
Safety Verdict

Is Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps) Safe to Use in 2026?

Generally Safe

Score 94/100

Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps) has a strong security track record. Known vulnerabilities have been patched promptly.

6 known CVEsLast CVE: Jul 19, 2024Updated 3mo ago
Risk Assessment

The Leaflet Maps Marker plugin v3.12.10 exhibits a mixed security posture. While the plugin has a small attack surface with only one unprotected AJAX handler, and a good number of capability checks and nonces present, concerns arise from the code analysis. A significant portion of SQL queries (44%) are not using prepared statements, presenting a potential SQL injection risk. Furthermore, less than half of the output operations are properly escaped, indicating a risk of Cross-Site Scripting (XSS) vulnerabilities. The vulnerability history shows a pattern of common web vulnerabilities like XSS and SQL injection, with several high and medium severity CVEs historically. The fact that there are currently no unpatched vulnerabilities is positive, but the repeated nature of these vulnerability types suggests a need for more robust input validation and output sanitization practices.

Key Concerns

  • SQL queries not using prepared statements
  • Output escaping is not properly implemented
  • Bundled outdated library (Select2 v3.5.4)
  • History of high severity vulnerabilities
Vulnerabilities
6

Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps) Security Vulnerabilities

CVEs by Year

1 CVE in 2012
2012
1 CVE in 2013
2013
1 CVE in 2022
2022
1 CVE in 2023
2023
2 CVEs in 2024
2024
Patched Has unpatched

Severity Breakdown

High
2
Medium
4

6 total CVEs

CVE-2024-38782medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Leaflet Maps Marker <= 3.12.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jul 19, 2024 Patched in 3.12.10 (7d)
CVE-2024-3670medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps) <= 3.12.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Apr 8, 2024 Patched in 3.12.9 (25d)
CVE-2022-4677high · 7.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Leaflet Maps Marker < 3.12.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Jan 12, 2023 Patched in 3.12.7 (376d)
CVE-2022-1123high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps) <= 3.12.4 - Authenticated (Admin+) SQL Injection

Aug 8, 2022 Patched in 3.12.5 (533d)
WF-6f1856bc-6d57-416e-86e9-9114bbbe5c8d-leaflet-maps-markermedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps) < 3.5.4 - Cross-Site Scripting

May 24, 2013 Patched in 3.5.4 (3896d)
CVE-2012-2913medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps) < 2.3.1 - Cross-Site Scripting

May 15, 2012 Patched in 2.3.1 (4270d)
Code Analysis
Analyzed Mar 16, 2026

Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps) Code Analysis

Dangerous Functions
0
Raw SQL Queries
83
105 prepared
Unescaped Output
1159
865 escaped
Nonce Checks
10
Capability Checks
37
File Operations
15
External Requests
7
Bundled Libraries
3

Bundled Libraries

TinyMCEjQuerySelect23.5.4

SQL Query Safety

56% prepared188 total queries

Output Escaping

43% escaped2024 total outputs
Data Flows
8 unsanitized

Data Flow Analysis

14 flows8 with unsanitized paths
<leaflet-api> (leaflet-api.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps) Attack Surface

Entry Points1
Unprotected0

AJAX Handlers 1

authwp_ajax_get_mm_listinc\tinymce-plugin.php:47
WordPress Hooks 43
filterquery_varsinc\class-google-places-geocoding.php:20
actionparse_requestinc\class-google-places-geocoding.php:21
actioninitinc\class-google-places-geocoding.php:22
actioninitinc\class-google-places-geocoding.php:184
actionadmin_print_styles-post.phpinc\tinymce-plugin.php:4
actionadmin_print_styles-post-new.phpinc\tinymce-plugin.php:5
filtermce_external_pluginsinc\tinymce-plugin.php:15
filtermce_external_pluginsinc\tinymce-plugin.php:16
actionadmin_footerinc\tinymce-plugin.php:18
actioninitleaflet-maps-marker.php:89
actionadmin_initleaflet-maps-marker.php:90
actionadmin_initleaflet-maps-marker.php:91
actionwp_enqueue_scriptsleaflet-maps-marker.php:95
actionwp_headleaflet-maps-marker.php:96
actioninitleaflet-maps-marker.php:97
actionwp_footerleaflet-maps-marker.php:98
actionwp_print_scriptsleaflet-maps-marker.php:99
actionwp_enqueue_scriptsleaflet-maps-marker.php:102
actionwp_print_stylesleaflet-maps-marker.php:103
actionadmin_menuleaflet-maps-marker.php:104
actionadmin_initleaflet-maps-marker.php:105
actionadmin_bar_menuleaflet-maps-marker.php:106
actionadmin_noticesleaflet-maps-marker.php:108
actionadmin_initleaflet-maps-marker.php:109
filterwidget_textleaflet-maps-marker.php:114
actionadmin_noticesleaflet-maps-marker.php:116
filterplugin_localeleaflet-maps-marker.php:123
actionwidgets_initleaflet-maps-marker.php:125
actionwp_dashboard_setupleaflet-maps-marker.php:128
actionwp_network_dashboard_setupleaflet-maps-marker.php:130
actionwp_dashboard_setupleaflet-maps-marker.php:131
actionadmin_enqueue_scriptsleaflet-maps-marker.php:137
actionadmin_enqueue_scriptsleaflet-maps-marker.php:140
actiondelete_blogleaflet-maps-marker.php:143
actiontemplate_includeleaflet-maps-marker.php:147
actionplugin_row_metaleaflet-maps-marker.php:150
actionadmin_enqueue_scriptsleaflet-maps-marker.php:151
actionadmin_print_footer_scriptsleaflet-maps-marker.php:223
actionadmin_print_footer_scriptsleaflet-maps-marker.php:275
actionadmin_enqueue_scriptsleaflet-maps-marker.php:522
filterplugin_action_linksleaflet-maps-marker.php:932
filterhttps_ssl_verifyleaflet-pro-upgrade.php:65
filterhttps_local_ssl_verifyleaflet-pro-upgrade.php:66
Maintenance & Trust

Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps) Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 5, 2025
PHP min version5.3
Downloads913K

Community Trust

Rating92/100
Number of ratings245
Active installs10K
Alternatives

Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps) Alternatives

WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters

WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters

wp-google-map-plugin

A
88

WordPress map plugin for Google Maps, OpenStreetMap & Mapbox with store locator, filterable listings & custom markers.

60K 21 CVEs
Ultimate Maps by Supsystic

Ultimate Maps by Supsystic

ultimate-maps-by-supsystic

A
96

Ultimate Maps by Supsystic is the best Google Maps alternative. It includes OpenStreetMap (OSM), Bing Maps, MapBox and Thunderforest maps services

10K 4 CVEs
Out of the Block: OpenStreetMap

Out of the Block: OpenStreetMap

ootb-openstreetmap

A
99

A map block for Gutenberg using OpenStreetMap and Leaflet that needs no API keys and works out of the box. Or should we say, ...Out of the Block?

800 1 CVE
Map Engine – Google Maps and Open Street Maps for WordPress

Map Engine – Google Maps and Open Street Maps for WordPress

map-engine

A
85

An Ultimate map tool to revolutionize your map building experience.

100 No CVEs
Easy Map – Store Locator, Google Maps, OpenStreetMap, Leaflet Map

Easy Map – Store Locator, Google Maps, OpenStreetMap, Leaflet Map

easy-map

A
100

Create interactive maps with store locator, markers, drawings & multiple locations. Supports OpenStreetMap and Google Maps. No API key needed.

50 No CVEs
Developer Profile

Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps) Developer Profile

Robert Seyfriedsberger

3 plugins · 10K total installs

73
trust score
Avg Security Score
91/100
Avg Patch Time
1302 days
View full developer profile
Detection Fingerprints

How We Detect Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps)

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/leaflet-maps-marker/leaflet-maps-marker.css/wp-content/plugins/leaflet-maps-marker/leaflet-maps-marker.js/wp-content/plugins/leaflet-maps-marker/css/leaflet-maps-marker-admin.css/wp-content/plugins/leaflet-maps-marker/css/leaflet-maps-marker.css/wp-content/plugins/leaflet-maps-marker/js/leaflet-maps-marker-admin.js/wp-content/plugins/leaflet-maps-marker/js/leaflet-maps-marker.js/wp-content/plugins/leaflet-maps-marker/js/leaflet-maps-marker.min.js/wp-content/plugins/leaflet-maps-marker/js/leaflet-maps-marker-map.js
Script Paths
leaflet-maps-marker/leaflet-maps-marker.jsleaflet-maps-marker/leaflet-maps-marker.min.jsleaflet-maps-marker/js/leaflet-maps-marker-map.js
Version Parameters
leaflet-maps-marker/leaflet-maps-marker.js?ver=leaflet-maps-marker/leaflet-maps-marker.min.js?ver=leaflet-maps-marker/js/leaflet-maps-marker-map.js?ver=

HTML / DOM Fingerprints

CSS Classes
leaflet-maps-marker
HTML Comments
info prevent file from being accessed directlyASCII Map (C) 1998 Matthew Thomas (freely usable as long as this line is included)info: die if old pro version is activeinfo: define necessary paths and urls+1 more
Data Attributes
data-lmm-marker-iddata-lmm-map-id
JS Globals
window.leaflet_maps_marker_openwindow.leaflet_maps_marker_cookie
Shortcode Output
[leaflet-maps-marker]
FAQ

Frequently Asked Questions about Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps)