WP-Safety

Location Weather – WordPress Weather Forecast, AQI, Temperature and Weather Widget Security & Risk Analysis

wordpress.org/plugins/location-weather

Customizable WordPress Weather Forecast plugin to display Current Temperature, Hourly & Daily Forecasts, up to 16-Day, Air Quality, & Live Weather Map

10K active installs v3.0.2 PHP 7.4+ WP 5.0+ Updated Apr 7, 2026
air-qualityblocklive-weatherweather-blockweather-forecast
100
A · Safe
CVEs total1
Unpatched0
Last CVEJan 18, 2023
Plugin page Download
Safety Verdict

Is Location Weather – WordPress Weather Forecast, AQI, Temperature and Weather Widget Safe to Use in 2026?

Generally Safe

Score 100/100

Location Weather – WordPress Weather Forecast, AQI, Temperature and Weather Widget has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

1 known CVELast CVE: Jan 18, 2023Updated 1mo ago
Risk Assessment

The "location-weather" plugin version 3.0.1 exhibits a mixed security posture. While it demonstrates good practices in terms of output escaping (90%) and a strong presence of nonce and capability checks, there are significant areas of concern. The presence of two AJAX handlers and two REST API routes without proper authentication or permission checks creates direct attack vectors. Although taint analysis shows no critical or high severity vulnerabilities, the use of `unserialize` is a dangerous function that, if not handled with extreme care, can lead to remote code execution, especially if the serialized data can be influenced by user input. The plugin's vulnerability history, with one past medium-severity CVE related to Cross-Site Scripting, suggests that while major issues have been addressed, the potential for input sanitization flaws exists. Overall, the plugin has some solid security foundations but requires immediate attention to its unprotected entry points and the cautious handling of potentially dangerous functions.

Key Concerns

  • AJAX handlers without auth checks
  • REST API routes without permission callbacks
  • Dangerous function: unserialize
  • SQL queries not using prepared statements (20%)
  • Past medium severity CVE (XSS)
Vulnerabilities
1 published

Location Weather – WordPress Weather Forecast, AQI, Temperature and Weather Widget Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2023-0360medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Location Weather <= 1.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes

Jan 18, 2023 Patched in 1.3.4 (370d)
Version History

Location Weather – WordPress Weather Forecast, AQI, Temperature and Weather Widget Release Timeline

v3.0.2Current
v3.0.1
v3.0.0
v2.1.6
v2.1.5
v2.1.4
v2.1.3
v2.1.2
v2.1.1
v2.1.0
v2.0.18
v2.0.17
v2.0.16
v2.0.15
v2.0.14
v2.0.13
v2.0.12
v2.0.11
v2.0.10
v2.0.9
Code Analysis
Analyzed Mar 16, 2026

Location Weather – WordPress Weather Forecast, AQI, Temperature and Weather Widget Code Analysis

Dangerous Functions
2
Raw SQL Queries
16
4 prepared
Unescaped Output
124
1166 escaped
Nonce Checks
25
Capability Checks
16
File Operations
2
External Requests
9
Bundled Libraries
0

Dangerous Functions Found

unserialize$plugins = unserialize( $response['body'] );includes\Admin\AdminDashboard\Splw_Blocks_Page_Wrapper.php:456
unserialize$plugins = unserialize( $response['body'] );includes\Admin\Splw_Help.php:138

SQL Query Safety

20% prepared20 total queries

Output Escaping

90% escaped1290 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

13 flows
splw_update_block_options (includes\Admin\AdminDashboard\Splw_Blocks_Page_Wrapper.php:255)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

Location Weather – WordPress Weather Forecast, AQI, Temperature and Weather Widget Attack Surface

Entry Points26
Unprotected4

AJAX Handlers 21

authwp_ajax_splw_update_block_optionsincludes\Admin\AdminDashboard\Splw_Blocks_Page_Wrapper.php:48
authwp_ajax_splw_changelog_dataincludes\Admin\AdminDashboard\Splw_Blocks_Page_Wrapper.php:49
authwp_ajax_splw_get_user_consentincludes\Admin\AdminDashboard\Splw_Blocks_Page_Wrapper.php:51
authwp_ajax_splw_update_setting_optionsincludes\Admin\AdminDashboard\Splw_Blocks_Page_Wrapper.php:55
authwp_ajax_lwp_clean_weather_transientsincludes\Admin\AdminDashboard\Splw_Blocks_Page_Wrapper.php:56
authwp_ajax_location-weather-never-show-review-noticeincludes\Admin\Admin_Notices.php:26
authwp_ajax_splwt-get-iconsincludes\Admin\framework\functions\actions.php:56
authwp_ajax_splwt-exportincludes\Admin\framework\functions\actions.php:91
authwp_ajax_splwt-importincludes\Admin\framework\functions\actions.php:125
authwp_ajax_splwt-resetincludes\Admin\framework\functions\actions.php:150
authwp_ajax_lwp_clean_open_weather_transientsincludes\Admin\framework\functions\actions.php:196
authwp_ajax_splwt-chosenincludes\Admin\framework\functions\actions.php:233
authwp_ajax_sp_location_weather_preview_meta_boxincludes\Admin\Preview\LW_Preview.php:41
authwp_ajax_shapedplugin_dismiss_offer_bannerincludes\Admin\ShapedPlugin_Offer_Banner.php:34
authwp_ajax_splw_ajax_block_dataincludes\Blocks\Blocks.php:87
noprivwp_ajax_splw_ajax_block_dataincludes\Blocks\Blocks.php:88
authwp_ajax_splw_block_color_settings_ajaxincludes\Blocks\Blocks.php:90
authwp_ajax_splw_export_shortcodesmain.php:85
authwp_ajax_splw_import_shortcodesmain.php:86
authwp_ajax_splw_ajax_location_weathermain.php:87
noprivwp_ajax_splw_ajax_location_weathermain.php:88

REST API Routes 3

POST/wp-json/spl-weather/v2/weather-save-block-cssincludes\Blocks\Includes\Manage_Dynamic_CSS.php:47
GET/wp-json/spl-weather/v2/get_premade_patterns/includes\Blocks\Includes\Weather_Premade_Patterns.php:43
GET/wp-json/spl-weather/v2/save_wishlist_itemincludes\Blocks\Includes\Weather_Premade_Patterns.php:56

Shortcodes 2

[location_weather] includes\Admin\LW_Saved_Templates.php:37
[location-weather] includes\Frontend\Shortcode.php:26
WordPress Hooks 68
actionadmin_menuincludes\Admin\AdminDashboard\Splw_Blocks_Page_Wrapper.php:47
actionadmin_enqueue_scriptsincludes\Admin\AdminDashboard\Splw_Blocks_Page_Wrapper.php:50
actioninitincludes\Admin\AdminDashboard\Splw_Blocks_Page_Wrapper.php:52
actionadmin_noticesincludes\Admin\AdminDashboard\Splw_Blocks_Page_Wrapper.php:53
actionadmin_print_scriptsincludes\Admin\AdminDashboard\Splw_Blocks_Page_Wrapper.php:54
actionadmin_menuincludes\Admin\AdminDashboard\Splw_Blocks_Page_Wrapper.php:106
actionadmin_noticesincludes\Admin\Admin_Notices.php:25
filtercron_schedulesincludes\Admin\Cron.php:25
actionwpincludes\Admin\Cron.php:26
actionwp_enqueue_scriptsincludes\Admin\framework\classes\abstract.class.php:54
actionadmin_menuincludes\Admin\framework\classes\admin-options.class.php:169
actionadmin_bar_menuincludes\Admin\framework\classes\admin-options.class.php:170
actionnetwork_admin_menuincludes\Admin\framework\classes\admin-options.class.php:174
actionadd_meta_boxesincludes\Admin\framework\classes\metabox-options.class.php:106
actionsave_postincludes\Admin\framework\classes\metabox-options.class.php:107
actionedit_attachmentincludes\Admin\framework\classes\metabox-options.class.php:108
actionafter_setup_themeincludes\Admin\framework\classes\SPLW.php:109
actioninitincludes\Admin\framework\classes\SPLW.php:110
actionswitch_themeincludes\Admin\framework\classes\SPLW.php:111
actionadmin_enqueue_scriptsincludes\Admin\framework\classes\SPLW.php:112
actionwp_headincludes\Admin\framework\classes\SPLW.php:113
filteradmin_body_classincludes\Admin\framework\classes\SPLW.php:114
filteradmin_footer_textincludes\Admin\framework\classes\SPLW.php:424
filterupdate_footerincludes\Admin\framework\classes\SPLW.php:425
actioninitincludes\Admin\Gutenberg_Block\Gutenberg_Block_Init.php:37
actionenqueue_block_editor_assetsincludes\Admin\Gutenberg_Block\Gutenberg_Block_Init.php:38
actionelementor/preview/enqueue_scriptsincludes\Admin\Location_Weather_Shortcode_Block.php:76
actionelementor/preview/enqueue_stylesincludes\Admin\Location_Weather_Shortcode_Block.php:77
actionelementor/editor/before_enqueue_scriptsincludes\Admin\Location_Weather_Shortcode_Block.php:78
actionelementor/initincludes\Admin\Location_Weather_Shortcode_Block.php:145
actionelementor/widgets/registerincludes\Admin\Location_Weather_Shortcode_Block.php:162
actioninitincludes\Admin\LW_Saved_Templates.php:34
actionadmin_initincludes\Admin\LW_Saved_Templates.php:35
filteruse_block_editor_for_post_typeincludes\Admin\LW_Saved_Templates.php:36
actioninitincludes\Admin\Post_Type.php:23
actionadmin_enqueue_scriptsincludes\Admin\Scripts.php:30
actionadmin_noticesincludes\Admin\ShapedPlugin_Offer_Banner.php:33
actionadmin_menuincludes\Admin\Splw_Help.php:62
actionadmin_print_scriptsincludes\Admin\Splw_Help.php:63
actionadmin_initincludes\Admin\Updater.php:52
filterwp_revisions_to_keepincludes\Admin\updates\update-1.3.0.php:35
filtermanage_location_weather_posts_columnsincludes\Admin.php:37
actionmanage_location_weather_posts_custom_columnincludes\Admin.php:38
filterpost_updated_messagesincludes\Admin.php:39
actionplugins_loadedincludes\Blocks\Blocks.php:58
actioninitincludes\Blocks\Blocks.php:72
actionenqueue_block_assetsincludes\Blocks\Blocks.php:74
filterrest_post_collection_paramsincludes\Blocks\Blocks.php:76
filterblock_categoriesincludes\Blocks\Blocks.php:82
filterblock_categories_allincludes\Blocks\Blocks.php:84
actionrest_api_initincludes\Blocks\Includes\Manage_Dynamic_CSS.php:32
actionwp_enqueue_scriptsincludes\Blocks\Includes\Manage_Dynamic_CSS.php:36
actiondeleted_postincludes\Blocks\Includes\Manage_Dynamic_CSS.php:40
actionrest_api_initincludes\Blocks\Includes\Weather_Premade_Patterns.php:31
actionwp_enqueue_scriptsincludes\Frontend\Scripts.php:41
actionafter_setup_thememain.php:79
filterplugin_action_linksmain.php:80
actionplugins_loadedmain.php:81
actionwidgets_initmain.php:82
actionactivated_pluginmain.php:83
actionwp_loadedmain.php:89
actionsave_postmain.php:90
actionadmin_noticesmain.php:91
actionnetwork_admin_noticesmain.php:92
filtersp_open_weather_api_cache_timemain.php:93
actionlocation_weather_weekly_scheduled_eventsmain.php:94
filterplugin_row_metamain.php:96
filterpll_get_post_typesmain.php:108

Scheduled Events 1

location_weather_weekly_scheduled_events
Maintenance & Trust

Location Weather – WordPress Weather Forecast, AQI, Temperature and Weather Widget Maintenance & Trust

Maintenance Signals

WordPress version tested7.0
Last updatedApr 7, 2026
PHP min version7.4
Downloads428K

Community Trust

Rating90/100
Number of ratings98
Active installs10K
Alternatives

Location Weather – WordPress Weather Forecast, AQI, Temperature and Weather Widget Alternatives

Classic Editor

Classic Editor

classic-editor

A
100

Enables the previous "classic" editor and the old-style Edit Post screen with TinyMCE, Meta Boxes, etc. Supports all plugins that extend this screen.

9.0M No CVEs
Starter Templates – AI-Powered Templates for Elementor & Gutenberg

Starter Templates – AI-Powered Templates for Elementor & Gutenberg

astra-sites

A
89

The growing library of 300+ ready-to-use templates that work with all WordPress themes including Astra, Hello, OceanWP, GeneratePress and more

2.0M 7 CVEs
Advanced Editor Tools

Advanced Editor Tools

tinymce-advanced

A
100

Extends and enhances the block editor (Gutenberg) and the classic editor (TinyMCE).

2.0M 1 CVE
Spectra Gutenberg Blocks – Website Builder for the Block Editor

Spectra Gutenberg Blocks – Website Builder for the Block Editor

ultimate-addons-for-gutenberg

A
92

Power-up Gutenberg with advanced blocks for faster website creation. Build your WordPress website effortlessly using powerful building blocks!

1.0M 27 CVEs
Breadcrumb NavXT

Breadcrumb NavXT

breadcrumb-navxt

A
98

Adds breadcrumb navigation showing the visitor's path to their current location.

800K 2 CVEs
Developer Profile

Location Weather – WordPress Weather Forecast, AQI, Temperature and Weather Widget Developer Profile

ShapedPlugin LLC

18 plugins · 315K total installs

78
trust score
Avg Security Score
98/100
Avg Patch Time
361 days
View full developer profile
Detection Fingerprints

How We Detect Location Weather – WordPress Weather Forecast, AQI, Temperature and Weather Widget

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/location-weather/assets/css/frontend.css/wp-content/plugins/location-weather/assets/js/frontend.js/wp-content/plugins/location-weather/assets/css/weather-icons.min.css/wp-content/plugins/location-weather/assets/js/splw-frontend.js
Script Paths
/wp-content/plugins/location-weather/assets/js/frontend.js/wp-content/plugins/location-weather/assets/js/splw-frontend.js
Version Parameters
location-weather/assets/css/frontend.css?ver=location-weather/assets/js/frontend.js?ver=location-weather/assets/css/weather-icons.min.css?ver=location-weather/assets/js/splw-frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes
splw-shortcode-wrappersplw-weather-widgetlocation-weather-widget
Data Attributes
data-location-weather
JS Globals
splw_ajax_object
REST Endpoints
/wp-json/location-weather/v1/get-weather
Shortcode Output
<div class="splw-shortcode-wrapper"><div id="location-weather-widget-<div class="splw-weather-widget"
FAQ

Frequently Asked Questions about Location Weather – WordPress Weather Forecast, AQI, Temperature and Weather Widget