WP-Safety

Map pins Security & Risk Analysis

wordpress.org/plugins/map-pins

Add custom markers on an embedded Google Map. Includes full search-ability, my-location via GPS, a list of nearby locations, and business hours.

30 active installs v1.29 PHP + WP 3.0.5+ Updated Sep 26, 2018
categoriesgoogle-mapsmapmapsshortcode
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Map pins Safe to Use in 2026?

Generally Safe

Score 85/100

Map pins has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 7yr ago
Risk Assessment

The 'map-pins' plugin v1.29 exhibits a generally good security posture with several positive indicators. The absence of known CVEs and the use of prepared statements for the vast majority of SQL queries are strong points. The presence of a nonce check on its single shortcode also suggests an awareness of basic security practices.

However, there are significant areas for concern. The extremely low percentage of properly escaped output (3%) is a major red flag, indicating a high risk of Cross-Site Scripting (XSS) vulnerabilities. While the taint analysis shows only one flow with unsanitized paths and no critical or high severity issues identified, this is likely due to the limited scope of the analysis or the specific nature of the plugin's functionality. The complete lack of capability checks on any entry points means that users, regardless of their role, could potentially interact with these functions in unintended ways.

Given the plugin's clean vulnerability history, it has not historically posed a significant threat. However, the static analysis reveals a critical weakness in output escaping. The plugin's strengths lie in its limited attack surface and use of prepared statements. Its weaknesses are the insufficient output escaping and the absence of capability checks on its shortcode, which could allow unauthorized access to its features.

Key Concerns

  • Low percentage of properly escaped output
  • No capability checks on shortcode
  • Flow with unsanitized paths found
Vulnerabilities
None known

Map pins Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Map pins Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
8 prepared
Unescaped Output
39
1 escaped
Nonce Checks
1
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

89% prepared9 total queries

Output Escaping

3% escaped40 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

3 flows1 with unsanitized paths
marker_edit (include\mappins.php:207)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Map pins Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[mappins-map] map-pins.php:39
WordPress Hooks 5
actioninitmap-pins.php:25
actionadmin_initmap-pins.php:26
actionadmin_enqueue_scriptsmap-pins.php:48
actionwp_footermap-pins.php:49
actionadmin_menumap-pins.php:50
Maintenance & Trust

Map pins Maintenance & Trust

Maintenance Signals

WordPress version tested4.9.29
Last updatedSep 26, 2018
PHP min version
Downloads5K

Community Trust

Rating100/100
Number of ratings4
Active installs30
Alternatives

Map pins Alternatives

Very simple Google map

Very simple Google map

very-simple-google-map

A
100

This is s very simple plugin for Google map

10 No CVEs
Simple Map

Simple Map

simple-map

A
85

Easy way to embed google map(s).

10K No CVEs
Simple Shortcode for Google Maps

Simple Shortcode for Google Maps

simple-google-maps-short-code

A
91

A simple shortcode for embedding Google Maps in any WordPress post, page or widget.

4K 1 CVE
Vanilla Adaptive Maps

Vanilla Adaptive Maps

vanilla-adaptive-maps

A
85

Map any address with a shortcode. Mobile users get a static map; desktop users will see a google map.

100 No CVEs
Google Maps Photo Gallery

Google Maps Photo Gallery

google-maps-photo-gallery

A
85

The shortcode for gallery on Google Maps with geotagged photos.

80 No CVEs
Developer Profile

Map pins Developer Profile

rvwoens

1 plugin · 30 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Map pins

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/map-pins/styles/mappins-styles.css/wp-content/plugins/map-pins/js/coslib.js/wp-content/plugins/map-pins/js/coslib-opentimes.js/wp-content/plugins/map-pins/js/coslib-markers.js/wp-content/plugins/map-pins/js/mappins-map.js/wp-content/plugins/map-pins/js/mappins-admin.js
Script Paths
/wp-content/plugins/map-pins/js/coslib.js/wp-content/plugins/map-pins/js/coslib-opentimes.js/wp-content/plugins/map-pins/js/coslib-markers.js/wp-content/plugins/map-pins/js/mappins-map.js/wp-content/plugins/map-pins/js/mappins-admin.js
Version Parameters
map-pins/styles/mappins-styles.css?ver=map-pins/js/coslib.js?ver=map-pins/js/coslib-opentimes.js?ver=map-pins/js/coslib-markers.js?ver=map-pins/js/mappins-map.js?ver=map-pins/js/mappins-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
mappin-searchbarsearch-querymappin-mylocationicom-map-markergmapgeopendmappins-listmappins-map
HTML Comments
<!-- MAPPINS COMMON --><!-- MAPPINS ADMIN -->
Data Attributes
id="gmapsearch"id="gmapmyloc"id="gmapopen"class="gmapgeopend"id="mappins-list"id="mappins-map"+4 more
JS Globals
mappins_optionsmappins_admin_optionsmappins_global
REST Endpoints
/wp-json/map-pins/v1/markers/wp-json/map-pins/v1/settings/wp-json/map-pins/v1/categories/wp-json/map-pins/v1/category/
Shortcode Output
<div class='mappin-searchbar'><input type='text' id='gmapsearch'<a href'#' id='gmapmyloc'><input type='checkbox' id='gmapopen'
FAQ

Frequently Asked Questions about Map pins