Does Locatoraid Store Locator have any unpatched vulnerabilities?

Yes — Locatoraid Store Locator currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Locatoraid Store Locator compatible with WordPress 6.9.4?

According to WordPress.org data, Locatoraid Store Locator 3.9.68 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Locatoraid Store Locator compatible with PHP 5.3+?

Locatoraid Store Locator requires PHP 5.3 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Locatoraid Store Locator updated?

Locatoraid Store Locator was last updated on Feb 27, 2026. Frequent updates are generally a positive security signal.

What is Locatoraid Store Locator's security score?

Locatoraid Store Locator has a WP-Safety security score of 62/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Locatoraid Store Locator Security & Risk Analysis

wordpress.org/plugins/locatoraid

A lightweight, reliable store locator backed by ongoing maintenance, updates, and support. Premium version adds CSV import, custom fields, custom map …

1K active installs v3.9.68 PHP 5.3+ WP 3.3+ Updated Feb 27, 2026

dealer-locatorgeocodinglocation-finderstore-locatorzip-code

C · Use Caution

CVEs total8

Unpatched1

Last CVEDec 31, 2025

Plugin page Download

Safety Verdict

Is Locatoraid Store Locator Safe to Use in 2026?

Use With Caution

Score 62/100

Locatoraid Store Locator has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

8 known CVEs 1 unpatched Last CVE: Dec 31, 2025Updated 1mo ago

Risk Assessment

The Locatoraid v3.9.68 plugin exhibits several concerning security weaknesses despite some positive attributes. The plugin presents a significant attack surface with 4 out of 4 REST API routes lacking permission callbacks, meaning any user could potentially interact with these endpoints. The static analysis also revealed the use of the deprecated and insecure `create_function` within the code, a known source of vulnerabilities. Furthermore, only 20% of output is properly escaped, indicating a high risk of Cross-Site Scripting (XSS) vulnerabilities. While the majority of SQL queries use prepared statements, this does not mitigate risks from other identified issues.

The plugin's vulnerability history is particularly alarming, with 8 previously disclosed CVEs, including one critical and seven medium-severity vulnerabilities. The fact that one critical vulnerability remains unpatched as of December 31, 2025, is a severe red flag. The common vulnerability types such as XSS, Deserialization of Untrusted Data, and Cross-Site Request Forgery (CSRF) align with the observed code signals, such as poor output escaping and the large attack surface. The presence of file operations and external HTTP requests without clear indications of sanitization further compounds these risks.

In conclusion, while the plugin demonstrates some good practices like using prepared statements for most SQL queries, the combination of a large unprotected attack surface, insecure coding practices like `create_function`, insufficient output escaping, and a history of numerous and significant vulnerabilities, including an unpatched critical one, points to a high-risk plugin. Immediate attention and remediation are strongly advised.

Key Concerns

Unpatched Critical CVE
REST API routes without permission callbacks
Poor output escaping (20% properly escaped)
Use of dangerous function: create_function
High number of historical CVEs (8 total)
Insecure Deserialization vulnerability history
Cross-Site Request Forgery (CSRF) vulnerability history

Vulnerabilities

Locatoraid Store Locator Security Vulnerabilities

CVEs by Year

4 CVEs in 2023

2023

2 CVEs in 2024

2024

2 CVEs in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Critical

Medium

8 total CVEs

CVE-2025-62140medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Locatoraid Store Locator <= 3.9.65 - Authenticated (Administrator+) Stored Cross-Site Scripting

Dec 31, 2025Unpatched

CVE-2024-56283critical · 9.8Deserialization of Untrusted Data

Locatoraid Store Locator <= 3.9.50 - Unauthenticated PHP Object Injection

Jan 3, 2025 Patched in 3.9.51 (6d)

CVE-2024-9652medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Locatoraid Store Locator <= 3.9.47 - Reflected Cross-Site Scripting

Oct 15, 2024 Patched in 3.9.48 (1d)

CVE-2024-30181medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Locatoraid Store Locator <= 3.9.30 - Authenticated (Administrator+) Stored Cross-Site Scripting

Mar 25, 2024 Patched in 3.9.31 (8d)

CVE-2023-4476medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Locatoraid Store Locator <= 3.9.23 - Reflected Cross-Site Scripting

Aug 28, 2023 Patched in 3.9.24 (148d)

CVE-2023-32576medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Locatoraid Store Locator <= 3.9.18 - Authenticated (Subscriber+) Stored Cross-Site Scripting

May 11, 2023 Patched in 3.9.19 (257d)

CVE-2023-2031medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Locatoraid Store Locator <= 3.9.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Apr 17, 2023 Patched in 3.9.15 (281d)

CVE-2023-25709medium · 4.3Cross-Site Request Forgery (CSRF)

Locatoraid Store Locator <= 3.9.11 - Cross Site Request Forgery in grab

Feb 14, 2023 Patched in 3.9.12 (343d)

Code Analysis

Analyzed Mar 16, 2026

Locatoraid Store Locator Code Analysis

Dangerous Functions

Raw SQL Queries

59 prepared

Unescaped Output

176

43 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

create_functionadd_action( 'admin_notices', create_function( '', "echo '<div class=\"error\"><p>".__('Locatoraid relocatoraid.php:20

SQL Query Safety

92% prepared64 total queries

Output Escaping

20% escaped219 total outputs

Data Flows

All sanitized

Data Flow Analysis

3 flows

renderSearchForm (modules\widget.wordpress\blocks.php:111)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

4 unprotected

Locatoraid Store Locator Attack Surface

Entry Points4

Unprotected4

REST API Routes 4

GET/wp-json/locatoraid/v3/locationsmodules\rest\plugin.php:111

GET/wp-json/locatoraid/v3/locations/(?P<id>\d+)modules\rest\plugin.php:125

GET/wp-json/locatoraid/v3/locationsmodules\rest\_config_bootstrap.php:68

GET/wp-json/locatoraid/v3/locations/(?P<id>[\d\-]+)modules\rest\_config_bootstrap.php:84

WordPress Hooks 19

actioninithapp2\lib-wp\hcWpBase6.php:165

actioninithapp2\lib-wp\hcWpBase6.php:166

actionadmin_inithapp2\lib-wp\hcWpBase6.php:497

actionadmin_menuhapp2\lib-wp\hcWpBase6.php:498

actionadmin_menuhapp2\lib-wp\hcWpBase6.php:500

filterparent_filehapp2\lib-wp\hcWpBase6.php:502

actionadmin_inithapp2\lib-wp\hcWpBase6.php:560

actionadmin_noticeshapp2\modules\flashdata.wordpress.layout\_config_bootstrap.php:12

filterposts_wherehapp2\modules\wordpress\lib_custom_search.php:13

filterposts_joinhapp2\modules\wordpress\lib_custom_search.php:14

filterposts_distincthapp2\modules\wordpress\lib_custom_search.php:15

actionadmin_noticeslocatoraid.php:20

actioninitlocatoraid.php:47

actionwidgets_initlocatoraid.php:72

actioninitmodules\rest\plugin.php:24

actionrest_api_initmodules\rest\plugin.php:58

actionrest_api_initmodules\rest\_config_bootstrap.php:20

actioninitmodules\widget.wordpress\blocks.php:11

actionwidgets_initmodules\widget.wordpress\widget_searchform.php:87

Maintenance & Trust

Locatoraid Store Locator Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 27, 2026

PHP min version5.3

Downloads176K

Community Trust

Rating90/100

Number of ratings17

Active installs1K

Alternatives

Locatoraid Store Locator Alternatives

Store Locator WordPress

agile-store-locator

Agile Store Locator is a premium store finder plugin designed to offer you immediate access to all the best stores in your local area.

10K 8 CVEs

Storemapper Store Locator Map

storemapper

100

The Store Locator App: Easy to install, fully customizable and proven to drive more traffic

80 No CVEs

Progus Store Locator Map (No API Key Required)

progus-store-locator

100

Powerful Store, Dealer & Stockist Locator with all features for just $3.99/month. Trusted by 4,000+ businesses worldwide.

10 No CVEs

WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters

wp-google-map-plugin

WordPress map plugin for Google Maps, OpenStreetMap & Mapbox with store locator, filterable listings & custom markers.

60K 20 CVEs

WP Store Locator

wp-store-locator

An easy to use location management system that enables users to search for nearby physical stores.

50K 1 CVE

Developer Profile

Locatoraid Store Locator Developer Profile

plainware

5 plugins · 2K total installs

trust score

Avg Security Score

83/100

Avg Patch Time

136 days

View full developer profile

Detection Fingerprints

How We Detect Locatoraid Store Locator

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/locatoraid/happ2/assets/js/hc2.js/wp-content/plugins/locatoraid/happ2/modules/maps_google/assets/js/gmaps.js/wp-content/plugins/locatoraid/modules/front/assets/js/front.js/wp-content/plugins/locatoraid/modules/directions.front/assets/js/directions.js/wp-content/plugins/locatoraid/happ2/assets/css/hc.css

Script Paths

Version Parameters

hcver=ver=

HTML / DOM Fingerprints

JS Globals

hc2_hc_varshc2_gmaps_varshc2_front_varshc2_directions_front_varslc3_plugin_pathlc3_plugin_url+4 more

REST Endpoints

/wp-json/locatoraid/v3/locations

FAQ