Does Locus have any unpatched vulnerabilities?

No. All known vulnerabilities in Locus have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Locus compatible with WordPress 3.9.40?

According to WordPress.org data, Locus 1.0 has been tested up to WordPress 3.9.40. Check the plugin's changelog for the latest compatibility information.

How often is Locus updated?

Locus was last updated on Apr 17, 2014. Frequent updates are generally a positive security signal.

What is Locus's security score?

Locus has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Locus Security & Risk Analysis

wordpress.org/plugins/locus

Locus allows you display any post, page or post type in widgetized areas of you site.

30 active installs v1.0 PHP + WP 3.0+ Updated Apr 17, 2014

categoriespagespost-typespostswidgets

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Locus Safe to Use in 2026?

Generally Safe

Score 85/100

Locus has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 11yr ago

Risk Assessment

The plugin "locus" v1.0 exhibits a mixed security posture. On the positive side, there are no reported CVEs, no evidence of taint flows, and all SQL queries utilize prepared statements. File operations and external HTTP requests are also absent, which reduces potential attack vectors. However, several significant concerns are raised by the static analysis. The presence of three instances of `create_function` is a major red flag, as this deprecated function is notoriously prone to security vulnerabilities, particularly code injection. Furthermore, only 5% of output is properly escaped, leaving a substantial portion of the plugin's output vulnerable to Cross-Site Scripting (XSS) attacks. The complete lack of nonce checks and the minimal use of capability checks (only 2) on the identified entry points are also critical weaknesses, meaning that even if entry points existed, they would likely be unprotected against unauthorized actions.

Key Concerns

Dangerous function 'create_function' found
Low output escaping (5%)
No nonce checks on entry points
Minimal capability checks

Vulnerabilities

None known

Locus Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

Locus Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

123

7 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

create_functionadd_action('widgets_init', create_function('', 'return register_widget("PPostTypeWidget");'),3);locus.php:23

create_functionadd_action('widgets_init', create_function('', 'return register_widget("PPWidget");'),4);locus.php:24

create_functionadd_action('widgets_init', create_function('', 'return register_widget("PlacedSingleContent");'),5);locus.php:25

Output Escaping

5% escaped130 total outputs

Attack Surface

Locus Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 9

actioninitlocus.php:15

actioninitlocus.php:19

actionwidgets_initlocus.php:23

actionwidgets_initlocus.php:24

actionwidgets_initlocus.php:25

actionadmin_menulocus.php:26

actionadmin_headlocus.php:27

filterexcerpt_lengthlocus.php:28

filterget_headerlocus.php:32

Maintenance & Trust

Locus Maintenance & Trust

Maintenance Signals

WordPress version tested3.9.40

Last updatedApr 17, 2014

PHP min version

Downloads6K

Community Trust

Rating100/100

Number of ratings1

Active installs30

Alternatives

Locus Alternatives

Essential Widgets

essential-widgets

Essential Widgets is a WordPress plugin for widgets that allows you to create and add amazing widgets with high customization option

10K 2 CVEs

Selectable Post and Page

selectable-post-and-page

Display your selected post and page.

10 No CVEs

No Page Comment

no-page-comment

An admin interface to control the default comment and trackback settings on new posts, pages and custom post types.

10K 2 CVEs

Posts in Page

posts-in-page

Easily add one or more posts to any page using simple shortcodes.

10K 1 CVE

Flexible Posts Widget

flexible-posts-widget

An advanced posts display widget with many options. Display posts in your sidebars any way you'd like!

8K No CVEs

Developer Profile

Locus Developer Profile

Diana K. Cury

1 plugin · 30 total installs

trust score

Avg Security Score

85/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Locus

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/locus/control/locus-style.css

HTML / DOM Fingerprints

CSS Classes

locus-adminspecial

FAQ