WP-Safety

LocateAndFilter Security & Risk Analysis

wordpress.org/plugins/locateandfilter

Create Maps exactly the way you want using LocateAndFilter.

200 active installs v1.6.17 PHP 5.2.4+ WP 4.5.0+ Updated Apr 24, 2025
filterable-mapfilters-by-taxonomyleafletlocateandfiltersearch-map
98
A · Safe
CVEs total2
Unpatched0
Last CVEMay 7, 2025
Plugin page Download
Safety Verdict

Is LocateAndFilter Safe to Use in 2026?

Generally Safe

Score 98/100

LocateAndFilter has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: May 7, 2025Updated 11mo ago
Risk Assessment

The plugin "locateandfilter" v1.6.17 presents a mixed security posture. While it demonstrates good practices in areas like SQL query sanitization (100% prepared statements) and output escaping (96%), significant concerns arise from its attack surface and vulnerability history. A large number of AJAX handlers (16) lack proper authentication checks, creating a substantial entry point for unauthorized actions. The presence of 72 dangerous function calls, particularly `unserialize`, is a notable risk, especially if user-controlled input can influence serialized data. The vulnerability history shows two medium-severity CVEs, indicating past weaknesses related to missing authorization and cross-site scripting, even though they are currently patched. The pattern of these past vulnerabilities, coupled with the current lack of authorization on many AJAX endpoints, suggests a recurring theme of authorization bypass potential.

Key Concerns

  • 16 AJAX handlers without auth checks
  • 72 dangerous functions (unserialize)
  • 2 past medium severity CVEs
  • Bundled outdated library Select2 v4.0.6
  • Bundled outdated library jQuery v1.12.4
Vulnerabilities
2

LocateAndFilter Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2025-47457medium · 5.3Missing Authorization

LocateAndFilter <= 1.6.16 - Missing Authorization

May 7, 2025 Patched in 1.6.17 (6d)
CVE-2024-9304medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

LocateAndFilter <= 1.6.14 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

Sep 30, 2024 Patched in 1.6.16 (53d)
Code Analysis
Analyzed Mar 16, 2026

LocateAndFilter Code Analysis

Dangerous Functions
72
Raw SQL Queries
0
0 prepared
Unescaped Output
18
479 escaped
Nonce Checks
15
Capability Checks
1
File Operations
1
External Requests
3
Bundled Libraries
2

Dangerous Functions Found

unserialize<option value="<?php echo esc_attr($name); ?>" data-variants="" <?php if (unserialize(get_option("loaddons\class-locate-and-filter-addons.php:102
unserialize<option value="<?php echo esc_attr($name . '.' . $variants_name); ?>" data-variants="<?php echo esc_addons\class-locate-and-filter-addons.php:108
unserialize<input type="text" size="100" name="locate-anything-option-map-provider-addon-accessToken-jawg" valuaddons\class-locate-and-filter-addons.php:122
unserialize<input type="text" size="100" name="locate-anything-option-map-provider-addon-customstyle-jawg" valuaddons\class-locate-and-filter-addons.php:125
unserialize<input type="text" size="100" name="locate-anything-option-map-provider-addon-accessToken-thunderforaddons\class-locate-and-filter-addons.php:131
unserialize<input type="text" size="100" name="locate-anything-option-map-provider-addon-accessToken-mapbox" vaaddons\class-locate-and-filter-addons.php:137
unserialize<input type="text" size="100" name="locate-anything-option-map-provider-addon-accessToken-maptiler" addons\class-locate-and-filter-addons.php:143
unserialize<input type="text" size="100" name="locate-anything-option-map-provider-addon-accessToken-openweatheaddons\class-locate-and-filter-addons.php:149
unserialize<input type="text" size="100" name="locate-anything-option-map-provider-addon-accessToken-here" valuaddons\class-locate-and-filter-addons.php:155
unserialize$key = unserialize (get_option("locate-anything-option-googlemaps-key"));admin\class-locate-and-filter-admin.php:139
unserialize$key = unserialize (get_option("locate-anything-option-bingmaps-key"));admin\class-locate-and-filter-admin.php:150
unserialize$allowed_post_types = unserialize (get_option ( 'locate-anything-option-sources' ));admin\class-locate-and-filter-admin.php:162
unserializewp_enqueue_script($this->plugin_name . "-googleAPI", "https://maps.googleapis.com/maps/api/js?key=".admin\class-locate-and-filter-admin.php:180
unserialize$allowed_post_types = unserialize (get_option ( 'locate-anything-option-sources' ));admin\class-locate-and-filter-admin.php:222
unserialize$selected_post_types = unserialize(get_option('locate-anything-option-sources'));admin\class-locate-and-filter-admin.php:252
unserialize$additional_field_list_json = stripslashes(unserialize(get_option('locate-anything-option-additionaladmin\class-locate-and-filter-admin.php:650
unserialize$additional_field_list_json = stripslashes(unserialize(get_option('locate-anything-option-additionaladmin\class-locate-and-filter-admin.php:671
unserialize$post_types += unserialize (get_option ( 'locate-anything-option-sources' ));admin\class-locate-and-filter-admin.php:677
unserialize$additional_field_list_json = stripslashes(unserialize(get_option('locate-anything-option-additionaladmin\class-locate-and-filter-admin.php:736
unserialize$license_key =unserialize(get_option("locate-anything-option-".$licences[$id]."-license"));admin\class-locate-and-filter-admin.php:820
unserialize$post_types = unserialize (get_option ( 'locate-anything-option-sources' ));admin\partials\locate-and-filter-metabox-admin.php:325
unserialize<td><?php if(unserialize(get_option("locate-anything-option-enable-cache"))==0) esc_html_e("The cacadmin\partials\locate-and-filter-metabox-admin.php:508
unserialize<?php $googlemaps_key = unserialize (get_option("locate-anything-option-googlemaps-key")); ?>admin\partials\locate-and-filter-metabox-post.php:73
unserialize<td><input type="text" style="max-width:auto" size="55" name="locate-anything-option-license-key" vaadmin\partials\locate-and-filter-settings-admin.php:28
unserialize<td><?php esc_html_e("GoogleMaps Key (only if you use GoogleMaps)","locateandfilter");?>:</td> <td><admin\partials\locate-and-filter-settings-admin.php:33
unserialize<td><?php esc_html_e("BingMaps Key (only if you use BingMaps)","locateandfilter");?>:</td> <td><inpuadmin\partials\locate-and-filter-settings-admin.php:37
unserialize$selected_language = $selected_language ? unserialize($selected_language) : ''; // Fallback if unseradmin\partials\locate-and-filter-settings-admin.php:47
unserialize$selected_items = $selected_items ? unserialize($selected_items) : array(); // Fallback if unserialiadmin\partials\locate-and-filter-settings-admin.php:68
unserialize$selected_items = $selected_items ? unserialize($selected_items) : array(); // Fallback if unserialiadmin\partials\locate-and-filter-settings-admin.php:97
unserializevalue="<?php echo esc_attr(unserialize(get_option("locate-anything-option-cache-timeout")) ?: ''); ?admin\partials\locate-and-filter-settings-admin.php:164
unserialize<?php if (unserialize(get_option("locate-anything-option-enable-cache")) == 1) echo "checked"; ?>>admin\partials\locate-and-filter-settings-admin.php:169
unserialize<?php if (unserialize(get_option("locate-anything-option-enable-cache")) == 0) echo "checked"; ?>>admin\partials\locate-and-filter-settings-admin.php:172
unserializevalue="<?php echo esc_attr(unserialize(get_option("locate-anything-option-maxclusterradius")) ?: 0);admin\partials\locate-and-filter-settings-admin.php:183
unserialize<li> <input type="radio" name="locate-anything-option-load-chosen" value="1" <?php if (unserialize(gadmin\partials\locate-and-filter-settings-admin.php:192
unserialize<li> <input type="radio" name="locate-anything-option-load-chosen" value="1" <?php if (unserialize(gadmin\partials\locate-and-filter-settings-admin.php:192
unserialize<li> <input type="radio" name="locate-anything-option-enable_fullscreenControl" value="1" <?php if (admin\partials\locate-and-filter-settings-admin.php:199
unserialize<li> <input type="radio" name="locate-anything-option-enable_fullscreenControl" value="1" <?php if (admin\partials\locate-and-filter-settings-admin.php:199
unserialize$loadjs = unserialize (get_option ( 'locate-anything-option-loadjs' ));includes\class-locate-and-filter.php:119
unserialize$load_chosen = unserialize (get_option ( 'locate-anything-option-load-chosen' ));public\class-locate-and-filter-public.php:74
unserialize$enable_fullscreenControl = unserialize (get_option ( 'locate-anything-option-enable_fullscreenContrpublic\class-locate-and-filter-public.php:91
unserialize$loadjs = unserialize (get_option ( 'locate-anything-option-loadjs' ));public\class-locate-and-filter-public.php:113
unserializewp_enqueue_script ( $this->plugin_name . "-googleAPI", "https://maps.googleapis.com/maps/api/js?v=3.public\class-locate-and-filter-public.php:119
unserializewp_enqueue_script ( $this->plugin_name . "-yandexAPI", "http://api-maps.yandex.ru/2.0/?load=package.public\class-locate-and-filter-public.php:136
unserialize$load_chosen = unserialize (get_option ( 'locate-anything-option-load-chosen' ));public\class-locate-and-filter-public.php:201
unserializeif($type_license === "label") $license_key =unserialize(get_option("locate-anything-option-license-public\class-locate-and-filter-public.php:252
unserialize$filters = unserialize($settings["locate-anything-show-filters"]);public\class-locate-and-filter-public.php:460
unserialize$loadjs = unserialize (get_option ( 'locate-anything-option-loadjs' ));public\class-locate-and-filter-public.php:467
unserialize$params ["overlay-addon"] = unserialize(get_option ("locate-anything-option-map-provider-addon"));public\class-locate-and-filter-public.php:526
unserialize$params ["overlay-addon-accessToken-jawg"] = unserialize(get_option ("locate-anything-option-map-propublic\class-locate-and-filter-public.php:527
unserialize$params ["overlay-addon-customstyle-jawg"] = unserialize(get_option ("locate-anything-option-map-propublic\class-locate-and-filter-public.php:528
unserialize$params ["overlay-addon-accessToken-thunderforest"] = unserialize(get_option ("locate-anything-optiopublic\class-locate-and-filter-public.php:529
unserialize$params ["overlay-addon-accessToken-mapbox"] = unserialize(get_option ("locate-anything-option-map-ppublic\class-locate-and-filter-public.php:530
unserialize$params ["overlay-addon-accessToken-maptiler"] = unserialize(get_option ("locate-anything-option-mappublic\class-locate-and-filter-public.php:531
unserialize$params ["overlay-addon-accessToken-openweathermap"] = unserialize(get_option ("locate-anything-optipublic\class-locate-and-filter-public.php:532
unserialize$params ["overlay-addon-accessToken-here"] = unserialize(get_option ("locate-anything-option-map-propublic\class-locate-and-filter-public.php:533
unserialize<?php $load_chosen = unserialize( get_option('locate-anything-option-load-chosen') );public\class-locate-and-filter-public.php:737
unserialize$isCacheEnabled = unserialize(get_option ( "locate-anything-option-enable-cache"));public\class-locate-and-filter-public.php:1008
unserialize$cache_timeout = unserialize(get_option ( "locate-anything-option-cache-timeout"));public\class-locate-and-filter-public.php:1014
unserializeif(!is_array($taxonomies)) $taxonomies = unserialize($taxonomies);public\class-locate-and-filter-public.php:1207
unserializeif(!is_array($filters)) $filters = unserialize($filters);public\class-locate-and-filter-public.php:1208
unserializeif(!is_array($allowed))$params['locate-anything-allowed-filters-value-'.$taxonomy]=unserialize($allopublic\class-locate-and-filter-public.php:1213
unserialize$filters = unserialize($settings["locate-anything-show-filters"]);public\class-locate-and-filter-public.php:1593
unserialize$loadjs = unserialize (get_option ( 'locate-anything-option-loadjs' ));public\class-locate-and-filter-public.php:1600
unserialize$params ["overlay-addon"] = unserialize(get_option ("locate-anything-option-map-provider-addon"));public\class-locate-and-filter-public.php:1657
unserialize$params ["overlay-addon-accessToken-jawg"] = unserialize(get_option ("locate-anything-option-map-propublic\class-locate-and-filter-public.php:1658
unserialize$params ["overlay-addon-customstyle-jawg"] = unserialize(get_option ("locate-anything-option-map-propublic\class-locate-and-filter-public.php:1659
unserialize$params ["overlay-addon-accessToken-thunderforest"] = unserialize(get_option ("locate-anything-optiopublic\class-locate-and-filter-public.php:1660
unserialize$params ["overlay-addon-accessToken-mapbox"] = unserialize(get_option ("locate-anything-option-map-ppublic\class-locate-and-filter-public.php:1661
unserialize$params ["overlay-addon-accessToken-maptiler"] = unserialize(get_option ("locate-anything-option-mappublic\class-locate-and-filter-public.php:1662
unserialize$params ["overlay-addon-accessToken-openweathermap"] = unserialize(get_option ("locate-anything-optipublic\class-locate-and-filter-public.php:1663
unserialize$params ["overlay-addon-accessToken-here"] = unserialize(get_option ("locate-anything-option-map-propublic\class-locate-and-filter-public.php:1664
unserialize<?php $load_chosen = unserialize( get_option('locate-anything-option-load-chosen') );public\class-locate-and-filter-public.php:1869

Bundled Libraries

Select24.0.6jQuery1.12.4

Output Escaping

96% escaped497 total outputs
Data Flows
All sanitized

Data Flow Analysis

7 flows
LA_getTaxonomies (admin\class-locate-and-filter-admin.php:864)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
16 unprotected

LocateAndFilter Attack Surface

Entry Points22
Unprotected16

AJAX Handlers 16

authwp_ajax_LAgetTaxonomiesincludes\class-locate-and-filter.php:226
noprivwp_ajax_LAgetTaxonomiesincludes\class-locate-and-filter.php:227
authwp_ajax_LAgetTaxonomies_plusincludes\class-locate-and-filter.php:230
noprivwp_ajax_LAgetTaxonomies_plusincludes\class-locate-and-filter.php:231
authwp_ajax_LAgetPOST_idincludes\class-locate-and-filter.php:234
noprivwp_ajax_LAgetPOST_idincludes\class-locate-and-filter.php:235
authwp_ajax_LAgetTaxonomyTermsincludes\class-locate-and-filter.php:237
noprivwp_ajax_LAgetTaxonomyTermsincludes\class-locate-and-filter.php:238
authwp_ajax_refresh_cacheincludes\class-locate-and-filter.php:240
noprivwp_ajax_refresh_cacheincludes\class-locate-and-filter.php:241
authwp_ajax_getLayoutCodeincludes\class-locate-and-filter.php:243
noprivwp_ajax_getLayoutCodeincludes\class-locate-and-filter.php:244
authwp_ajax_LAgetFiltersincludes\class-locate-and-filter.php:246
noprivwp_ajax_LAgetFiltersincludes\class-locate-and-filter.php:247
authwp_ajax_getMarkersincludes\class-locate-and-filter.php:285
noprivwp_ajax_getMarkersincludes\class-locate-and-filter.php:286

Shortcodes 6

[LocateAndFilter] public\class-locate-and-filter-public.php:265
[LocateAndFilter_map] public\class-locate-and-filter-public.php:266
[LocateAndFilter_navlist] public\class-locate-and-filter-public.php:267
[LocateAndFilter_filters] public\class-locate-and-filter-public.php:268
[LocateAndFilter_map_single] public\class-locate-and-filter-public.php:271
[LocateAndFilter_filters_single] public\class-locate-and-filter-public.php:272
WordPress Hooks 28
filterlocate_anything_add_option_tabaddons\class-locate-and-filter-addons.php:66
filterlocate_anything_add_option_paneaddons\class-locate-and-filter-addons.php:71
filterlocate_anything_add_option_tabincludes\class-locate-and-filter-addon-helper.php:17
filterlocate_anything_add_option_paneincludes\class-locate-and-filter-addon-helper.php:22
filterlocate_anything_add_overlaysincludes\class-locate-and-filter-addon-helper.php:41
filterlocate_anything_tooltip_presetsincludes\class-locate-and-filter-addon-helper.php:58
filterlocate_anything_navlist_presetsincludes\class-locate-and-filter-addon-helper.php:75
filterlocate_anything_add_marker_iconsincludes\class-locate-and-filter-addon-helper.php:92
filterlocate_anything_add_map_layoutsincludes\class-locate-and-filter-addon-helper.php:109
filterlocate_anything_add_filter_choiceincludes\class-locate-and-filter-addon-helper.php:154
filterlocate_anything_basic_markupincludes\class-locate-and-filter-addon-helper.php:170
filterlocate_anything_marker_varsincludes\class-locate-and-filter-addon-helper.php:184
filterlocate_anything_filter_related_varsincludes\class-locate-and-filter-addon-helper.php:202
filterlocate_anything_whitelist_paramsincludes\class-locate-and-filter-addon-helper.php:220
filterlocate_anything_add_custom_filtersincludes\class-locate-and-filter-addon-helper.php:227
actionplugins_loadedincludes\class-locate-and-filter.php:207
actionadmin_enqueue_scriptsincludes\class-locate-and-filter.php:222
actionadmin_enqueue_scriptsincludes\class-locate-and-filter.php:223
actionadmin_menuincludes\class-locate-and-filter.php:251
actioninitincludes\class-locate-and-filter.php:252
actionadd_meta_boxesincludes\class-locate-and-filter.php:255
actionadd_meta_boxesincludes\class-locate-and-filter.php:256
actionsave_postincludes\class-locate-and-filter.php:258
actionadmin_initincludes\class-locate-and-filter.php:259
actionadmin_noticesincludes\class-locate-and-filter.php:261
actionadmin_menuincludes\class-locate-and-filter.php:265
actionplugins_loadedincludes\class.upgrademe.php:203
actionadmin_noticeslocateandfilter.php:103
Maintenance & Trust

LocateAndFilter Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedApr 24, 2025
PHP min version5.2.4
Downloads9K

Community Trust

Rating100/100
Number of ratings12
Active installs200
Alternatives

LocateAndFilter Alternatives

Leaflet Map

Leaflet Map

leaflet-map

A
99

Interactive maps and markers on your posts and pages with simple shortcodes.

30K 3 CVEs
MapPress Maps for WordPress

MapPress Maps for WordPress

mappress-google-maps-for-wordpress

A
94

MapPress is the easiest way to add unlimited interactive Google and Leaflet maps to WordPress.

30K 14 CVEs
Open User Map

Open User Map

open-user-map

A
96

Engage your visitors with an interactive map – let them add markers instantly or create a custom map showcasing your favorite spots.

10K 3 CVEs
Ultimate Maps by Supsystic

Ultimate Maps by Supsystic

ultimate-maps-by-supsystic

A
96

Ultimate Maps by Supsystic is the best Google Maps alternative. It includes OpenStreetMap (OSM), Bing Maps, MapBox and Thunderforest maps services

10K 4 CVEs
ACF OpenStreetMap Field

ACF OpenStreetMap Field

acf-openstreetmap-field

A
92

A configurable OpenStreetMap Field for ACF.

9K No CVEs
Developer Profile

LocateAndFilter Developer Profile

dgamoni

1 plugin · 200 total installs

93
trust score
Avg Security Score
98/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect LocateAndFilter

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/locateandfilter/assets/css/laf-select2.min.css/wp-content/plugins/locateandfilter/assets/css/laf.css/wp-content/plugins/locateandfilter/assets/css/laf-edit.css/wp-content/plugins/locateandfilter/assets/css/laf-editor-block.css/wp-content/plugins/locateandfilter/assets/css/laf-frontend.css/wp-content/plugins/locateandfilter/assets/js/laf-select2.min.js/wp-content/plugins/locateandfilter/assets/js/laf-editor-block.js/wp-content/plugins/locateandfilter/assets/js/laf-frontend.js+1 more
Script Paths
/wp-content/plugins/locateandfilter/assets/js/laf.js/wp-content/plugins/locateandfilter/assets/js/laf-frontend.js/wp-content/plugins/locateandfilter/assets/js/laf-editor-block.js/wp-content/plugins/locateandfilter/assets/js/laf-select2.min.js
Version Parameters
locateandfilter/assets/css/laf.css?ver=locateandfilter/assets/css/laf-frontend.css?ver=locateandfilter/assets/css/laf-edit.css?ver=locateandfilter/assets/css/laf-editor-block.css?ver=locateandfilter/assets/css/laf-select2.min.css?ver=locateandfilter/assets/js/laf.js?ver=locateandfilter/assets/js/laf-frontend.js?ver=locateandfilter/assets/js/laf-editor-block.js?ver=locateandfilter/assets/js/laf-select2.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
laf-map-wrapperlaf-maplaf-filter-formlaf-filter-grouplaf-filter-itemlaf-input-wrapperlaf-search-inputlaf-taxonomy-filter+7 more
HTML Comments
<!-- LocateAndFilter --><!-- End LocateAndFilter --><!-- LAF Shortcode START --><!-- LAF Shortcode END -->
Data Attributes
data-laf-map-iddata-laf-optionsdata-laf-marker-clusterdata-laf-filter-optionsdata-laf-shortcode-id
JS Globals
locateAndFilterMapsLafFrontendLafEditorBlock
REST Endpoints
/wp-json/locateandfilter/v1/map/wp-json/locateandfilter/v1/markers
Shortcode Output
[locate-and-filter-map[locate-and-filter-form
FAQ

Frequently Asked Questions about LocateAndFilter