Does Local Magic have any unpatched vulnerabilities?

Yes — Local Magic currently has 2 unpatched vulnerabilities. We recommend switching to an alternative or applying any available workarounds.

Is Local Magic compatible with WordPress 6.8.5?

According to WordPress.org data, Local Magic 2.9.0 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is Local Magic compatible with PHP 5.6.0+?

Local Magic requires PHP 5.6.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Local Magic updated?

Local Magic was last updated on Jan 21, 2026. Frequent updates are generally a positive security signal.

What is Local Magic's security score?

Local Magic has a WP-Safety security score of 54/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Local Magic Security & Risk Analysis

wordpress.org/plugins/local-magic

The Local Magic© WordPress plugin extends the functionality of the SaaS Local Magic© to WordPress so that the local magic can be displayed o …

100 active installs v2.9.0 PHP 5.6.0+ WP 3.5.1+ Updated Jan 21, 2026

charlestonlocal-magiclocal-seoseo

C · Use Caution

CVEs total2

Unpatched2

Last CVEApr 14, 2025

Plugin page Download

Safety Verdict

Is Local Magic Safe to Use in 2026?

Use With Caution

Score 54/100

Local Magic has 2 unpatched vulnerabilities. Evaluate alternatives or apply available mitigations.

2 known CVEs 2 unpatched Last CVE: Apr 14, 2025Updated 2mo ago

Risk Assessment

The 'local-magic' plugin v2.9.0 presents a mixed security posture with several concerning aspects. While it shows some good practices like a high percentage of prepared SQL statements and no detected critical or high severity taint flows, the significant number of unprotected AJAX handlers (10 out of 10) is a major red flag. This large attack surface without proper authorization checks opens the door for various privilege escalation and unauthorized action vulnerabilities.

The plugin's vulnerability history is also a concern, with two known and currently unpatched CVEs, one of which is high severity. The common vulnerability types, including SQL Injection and Missing Authorization, directly correlate with the findings in the static analysis. The fact that these vulnerabilities are recent (last one in 2025) suggests an ongoing struggle with secure development practices.

Overall, the plugin's security is compromised by its unprotected entry points and its history of critical and high-severity vulnerabilities, particularly those related to authorization and SQL injection. While the static analysis did not reveal critical taint flows, the potential for exploitation due to missing authorization checks on AJAX handlers, combined with past vulnerabilities, makes this plugin a moderate to high risk.

Key Concerns

Unprotected AJAX handlers
Unpatched high severity CVE
Unpatched medium severity CVE
Low percentage of properly escaped output
Only 1 nonce check
Only 1 capability check

Vulnerabilities

Local Magic Security Vulnerabilities

CVEs by Year

2 CVEs in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

High

Medium

2 total CVEs

CVE-2025-32636high · 7.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Local Magic <= 2.6.0 - Unauthenticated SQL Injection

Apr 14, 2025Unpatched

CVE-2025-31858medium · 5.3Missing Authorization

Local Magic <= 2.6.0 - Missing Authorization

Apr 2, 2025Unpatched

Code Analysis

Analyzed Mar 16, 2026

Local Magic Code Analysis

Dangerous Functions

Raw SQL Queries

102 prepared

Unescaped Output

4 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

90% prepared113 total queries

Output Escaping

29% escaped14 total outputs

Data Flows

All sanitized

Data Flow Analysis

2 flows

<setting> (admin\setting.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

10 unprotected

Local Magic Attack Surface

Entry Points17

Unprotected10

AJAX Handlers 10

noprivwp_ajax_mrylm-manage-pageslocal-magic.php:132

noprivwp_ajax_mrylm-update-settinglocal-magic.php:232

noprivwp_ajax_mrylm-manage-citieslocal-magic.php:325

noprivwp_ajax_mrylm-manage-typewise-citieslocal-magic.php:450

noprivwp_ajax_mrylm-manage-single-typeslocal-magic.php:554

noprivwp_ajax_mrylm-add-citylocal-magic.php:655

noprivwp_ajax_mrylm-update-citylocal-magic.php:771

noprivwp_ajax_mrylm-manage-newslocal-magic.php:893

noprivwp_ajax_mrylm-delete-citylocal-magic.php:961

noprivwp_ajax_api-post-joblocal-magic.php:1041

Shortcodes 7

[mrylm-article] local-magic.php:94

[mrylm-menu] local-magic.php:99

[mrylm-news] local-magic.php:104

[mrylm-service-area] local-magic.php:109

[mrylm-near-me-menu] local-magic.php:114

[mrylm-job-posting] local-magic.php:120

[mrylm_poi] local-magic.php:125

WordPress Hooks 10

actionwp_enqueue_scriptslocal-magic.php:59

actionadmin_menulocal-magic.php:67

actionupgrader_process_completelocal-magic.php:81

filterquery_varslocal-magic.php:1201

actioninitlocal-magic.php:1207

filterpre_get_document_titlelocal-magic.php:1227

filterdocument_title_partslocal-magic.php:1228

filterdocument_title_separatorlocal-magic.php:1229

actionwp_headlocal-magic.php:1243

actionwp_footerlocal-magic.php:1244

Maintenance & Trust

Local Magic Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedJan 21, 2026

PHP min version5.6.0

Downloads6K

Community Trust

Rating0/100

Number of ratings0

Active installs100

Alternatives

Local Magic Alternatives

Post to Google My Business (Google Business Profile)

post-to-google-my-business

100

Auto-publish posts, pages & CPTs, plus manage Google Business Profile posts. All from your WordPress dashboard!

10K 1 CVE

Five Star Business Profile and Schema

business-profile

100

Add structured data to any page or post type. Create an SEO friendly contact card with your business info and associated schema.

8K 1 CVE

Bulk Page Generator – LPagery

lpagery

Effortlessly mass generate unlimited SEO-optimized pages in bulk with LPagery. Boost traffic, save time, and grow your business in just 5 minutes!

3K 1 CVE

Bulk Page Generator and Mass Page Builder – Page Generator

page-generator

Bulk generate multiple Pages using dynamic content.

3K 3 CVEs

Local Business Schema (JSON-LD) Lite

wpspeed-localbusiness-schema

100

Boost Local SEO with Smart Local Business Schema JSON-LD

3K No CVEs

Developer Profile

Local Magic Developer Profile

matthewrubin

2 plugins · 200 total installs

trust score

Avg Security Score

67/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Local Magic

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/local-magic/admin/setting.php/wp-content/plugins/local-magic/activate.php/wp-content/plugins/local-magic/deactivate.php/wp-content/plugins/local-magic/include/function.php/wp-content/plugins/local-magic/assets/images/icon-lm-light.png

HTML / DOM Fingerprints

JS Globals

mrylm_manage_pagesmrylm_update_settingmrylm_local_magic_articlemrylm_dropdown_menumrylm_newsmrylm_service_area+5 more

REST Endpoints

/wp-json/local-magic/v1/feed

Shortcode Output

[mrylm-article][mrylm-menu][mrylm-news][mrylm-service-area]

FAQ