Does MapPress Maps for WordPress have any unpatched vulnerabilities?

No. All known vulnerabilities in MapPress Maps for WordPress have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is MapPress Maps for WordPress compatible with WordPress 6.8.5?

According to WordPress.org data, MapPress Maps for WordPress 2.95.10 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is MapPress Maps for WordPress compatible with PHP 7.0+?

MapPress Maps for WordPress requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is MapPress Maps for WordPress updated?

MapPress Maps for WordPress was last updated on Feb 3, 2026. Frequent updates are generally a positive security signal.

What is MapPress Maps for WordPress's security score?

MapPress Maps for WordPress has a WP-Safety security score of 94/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

MapPress Maps for WordPress Security & Risk Analysis

wordpress.org/plugins/mappress-google-maps-for-wordpress

MapPress is the easiest way to add unlimited interactive Google and Leaflet maps to WordPress.

30K active installs v2.95.10 PHP 7.0+ WP 5.9.5+ Updated Feb 3, 2026

google-mapsleafletmap-pluginmapsstore-locator

A · Safe

CVEs total14

Unpatched0

Last CVEMar 27, 2025

Plugin page Download

Safety Verdict

Is MapPress Maps for WordPress Safe to Use in 2026?

Generally Safe

Score 94/100

MapPress Maps for WordPress has a strong security track record. Known vulnerabilities have been patched promptly.

14 known CVEsLast CVE: Mar 27, 2025Updated 2mo ago

Risk Assessment

The mappress-google-maps-for-wordpress plugin v2.95.10 presents a mixed security posture. While it demonstrates good practices in several areas, including a high percentage of SQL queries using prepared statements and a significant number of properly escaped outputs, there are notable concerns. The presence of one AJAX handler without authentication checks creates an immediate attack vector. The use of the `unserialize` function, although flagged as a single instance, is inherently risky as it can lead to remote code execution if not handled with extreme care and validation, especially when dealing with untrusted input. The plugin's vulnerability history is a significant red flag, with a substantial number of known CVEs (14 total), including high and medium severity issues such as Cross-Site Scripting, Missing Authorization, SQL Injection, and Unrestricted File Uploads. Although no currently unpatched vulnerabilities are listed, the pattern of past vulnerabilities suggests a recurring weakness in input validation and authorization mechanisms. This historical context, combined with the identified code-level risks, points to an overall posture that requires careful consideration and prompt attention to mitigate potential threats.

Key Concerns

AJAX handler without authentication check
Use of dangerous function: unserialize
High number of known vulnerabilities (14)
Multiple high severity past vulnerabilities
Flows with unsanitized paths

Vulnerabilities

MapPress Maps for WordPress Security Vulnerabilities

CVEs by Year

2 CVEs in 2020

2020

2 CVEs in 2022

2022

2 CVEs in 2023

2023

6 CVEs in 2024

2024

2 CVEs in 2025

2025

Patched Has unpatched

Severity Breakdown

High

Medium

14 total CVEs

CVE-2025-2162medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

MapPress Maps for WordPress <= 2.94.9 - Authenticated (Administrator+) Stored Cross-Site Scripting

Mar 27, 2025 Patched in 2.94.10 (27d)

CVE-2025-2055medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

MapPress Maps for WordPress <= 2.94.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

Mar 13, 2025 Patched in 2.94.9 (28d)

CVE-2024-10715medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

MapPress Maps for WordPress <= 2.94.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Map Block

Nov 5, 2024 Patched in 2.94.2 (1d)

CVE-2024-8620medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

MapPress Maps for WordPress <= 2.92.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

Sep 24, 2024 Patched in 2.93 (248d)

CVE-2023-7225medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

MapPress <= 2.88.16 - Authenticated (Contributor+) Stored Cross-Site Scripting via Map Settings

Jan 29, 2024 Patched in 2.88.17 (183d)

CVE-2024-0420medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

MapPress Maps for WordPress <= 2.88.14 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jan 17, 2024 Patched in 2.88.15 (66d)

CVE-2024-0421medium · 5.3Missing Authorization

MapPress Maps for WordPress <= 2.88.15 - Insufficient Authorization to Information Disclosure

Jan 17, 2024 Patched in 2.88.16 (66d)

CVE-2023-6524medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

MapPress Maps for WordPress <= 2.88.13 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jan 2, 2024 Patched in 2.88.14 (210d)

CVE-2023-4840medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

MapPress Maps for WordPress <= 2.88.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Sep 11, 2023 Patched in 2.88.5 (134d)

CVE-2023-26015high · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

MapPress Maps for WordPress <= 2.85.4 - Authenticated (Contributor+) SQL Injection via get_maps

Apr 6, 2023 Patched in 2.85.5 (292d)

CVE-2022-0537medium · 6Unrestricted Upload of File with Dangerous Type

MapPress Maps for WordPress <= 2.73.12 - Admin+ File Upload to Remote Code Execution

Mar 14, 2022 Patched in 2.73.13 (680d)

CVE-2022-0208medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

MapPress Maps <= 2.73.3 - Reflected Cross-Site Scripting

Jan 17, 2022 Patched in 2.73.4 (736d)

CVE-2020-12675high · 8.8Unrestricted Upload of File with Dangerous Type

MapPress Maps <= 2.54.5 - Remote Code Execution via Improper Capability Checks in AJAX Calls

May 28, 2020 Patched in 2.54.6 (1335d)

CVE-2020-12077medium · 6.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

MapPress Maps for WordPress <=2.53.8 - Authenticated Map Creation/Deletion to Stored Cross-Site Scripting & Remote Code Execution

Apr 1, 2020 Patched in 2.53.9 (1392d)

Code Analysis

Analyzed Mar 16, 2026

MapPress Maps for WordPress Code Analysis

Dangerous Functions

Raw SQL Queries

32 prepared

Unescaped Output

43 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$mapdata = unserialize($row->obj);mappress_db.php:103

SQL Query Safety

74% prepared43 total queries

Output Escaping

73% escaped59 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

6 flows2 with unsanitized paths

template_redirect (mappress.php:1078)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

MapPress Maps for WordPress Attack Surface

Entry Points17

Unprotected1

AJAX Handlers 15

authwp_ajax_mapp_dismissmappress.php:111

authwp_ajax_mapp_upgrademappress_db.php:7

authwp_ajax_mapp_get_postmappress_map.php:111

noprivwp_ajax_mapp_get_postmappress_map.php:112

authwp_ajax_mapp_license_checkmappress_settings.php:125

authwp_ajax_mapp_geocodemappress_settings.php:126

authwp_ajax_mapp_options_resetmappress_settings.php:127

authwp_ajax_mapp_option_savemappress_settings.php:128

authwp_ajax_mapp_options_savemappress_settings.php:129

authwp_ajax_mapp_preferences_savemappress_settings.php:130

authwp_ajax_mapp_style_deletemappress_settings.php:131

authwp_ajax_mapp_style_savemappress_settings.php:132

authwp_ajax_mapp_tpl_getmappress_template.php:21

authwp_ajax_mapp_tpl_savemappress_template.php:22

authwp_ajax_mapp_tpl_deletemappress_template.php:23

Shortcodes 2

[mappress] mappress.php:82

[mashup] mappress.php:100

WordPress Hooks 36

actionadmin_menumappress.php:78

actioninitmappress.php:79

actionplugins_loadedmappress.php:80

actionadmin_noticesmappress.php:83

filterthe_contentmappress.php:86

actionwp_headmappress.php:89

actionadmin_headmappress.php:90

actionwp_enqueue_scriptsmappress.php:93

actionadmin_enqueue_scriptsmappress.php:94

filterscript_loader_tagmappress.php:104

filterheartbeat_settingsmappress.php:108

filterblock_categories_allmappress.php:115

filterblock_categoriesmappress.php:117

filtermime_typesmappress.php:119

actionadmin_initmappress.php:124

actiontemplate_redirectmappress.php:128

filterwp_img_tag_add_decoding_attrmappress.php:132

filterscript_loader_tagmappress.php:845

actionrest_api_initmappress_api.php:6

filtercmplz_known_script_tagsmappress_compliance.php:13

filtercmplz_detected_servicesmappress_compliance.php:15

filtercmplz_whitelisted_script_tagsmappress_compliance.php:16

actiondeleted_postmappress_map.php:114

actiontrashed_postmappress_map.php:115

actionmedia_buttonsmappress_map.php:116

actionshow_user_profilemappress_map.php:118

actionedit_user_profilemappress_map.php:119

actiondeleted_usermappress_map.php:120

actionload-toplevel_page_mappressmappress_settings.php:133

actionadmin_print_scriptsmappress_template.php:27

actionadmin_print_footer_scriptsmappress_template.php:28

actionwp_print_scriptsmappress_template.php:32

actionwp_footermappress_template.php:33

actionmappress_map_savemappress_wpml.php:5

actionmappress_map_displaymappress_wpml.php:6

actionwpml_pro_translation_completedmappress_wpml.php:10

Maintenance & Trust

MapPress Maps for WordPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedFeb 3, 2026

PHP min version7.0

Downloads4.8M

Community Trust

Rating94/100

Number of ratings146

Active installs30K

Alternatives

MapPress Maps for WordPress Alternatives

Easy Map – Store Locator, Google Maps, OpenStreetMap, Leaflet Map

easy-map

100

Create interactive maps with store locator, markers, drawings & multiple locations. Supports OpenStreetMap and Google Maps. No API key needed.

50 No CVEs

WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters

wp-google-map-plugin

WordPress map plugin for Google Maps, OpenStreetMap & Mapbox with store locator, filterable listings & custom markers.

60K 21 CVEs

WP Store Locator

wp-store-locator

An easy to use location management system that enables users to search for nearby physical stores.

50K 1 CVE

Store Locator WordPress

agile-store-locator

Agile Store Locator is a premium store finder plugin designed to offer you immediate access to all the best stores in your local area.

10K 8 CVEs

Maps Plugin using Google Maps for WordPress – WP Google Map

gmap-embed

Google Map plugin for WordPress is very Simple, light-weight and Easy to use Google Custom Map with markers in Posts, Pages, Sidebar as shortcode.

10K 6 CVEs

Developer Profile

MapPress Maps for WordPress Developer Profile

chrisvrichardson

1 plugin · 30K total installs

trust score

Avg Security Score

94/100

Avg Patch Time

386 days

View full developer profile

Detection Fingerprints

How We Detect MapPress Maps for WordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/mappress-google-maps-for-wordpress/css/mappress.css/wp-content/plugins/mappress-google-maps-for-wordpress/css/mappress-admin.css/wp-content/plugins/mappress-google-maps-for-wordpress/css/mappress-blocks.css/wp-content/plugins/mappress-google-maps-for-wordpress/css/mappress-editor.css/wp-content/plugins/mappress-google-maps-for-wordpress/js/mappress.js/wp-content/plugins/mappress-google-maps-for-wordpress/js/mappress-admin.js/wp-content/plugins/mappress-google-maps-for-wordpress/js/mappress-blocks.js/wp-content/plugins/mappress-google-maps-for-wordpress/js/mappress-editor.js+5 more

Version Parameters

mappress-google-maps-for-wordpress/css/mappress.css?ver=mappress-google-maps-for-wordpress/css/mappress-admin.css?ver=mappress-google-maps-for-wordpress/css/mappress-blocks.css?ver=mappress-google-maps-for-wordpress/css/mappress-editor.css?ver=mappress-google-maps-for-wordpress/js/mappress.js?ver=mappress-google-maps-for-wordpress/js/mappress-admin.js?ver=mappress-google-maps-for-wordpress/js/mappress-blocks.js?ver=mappress-google-maps-for-wordpress/js/mappress-editor.js?ver=mappress-google-maps-for-wordpress/js/mappress-poi.js?ver=mappress-google-maps-for-wordpress/js/mappress-import.js?ver=mappress-google-maps-for-wordpress/js/mappress-map.js?ver=mappress-google-maps-for-wordpress/js/mappress-settings.js?ver=mappress-google-maps-for-wordpress/js/mappress-welcome.js?ver=

HTML / DOM Fingerprints

CSS Classes

mappress-map-canvasmappress-blockmappress-shortcodemappress-overlaymappress-sidebarmappress-editor-wrappermappress-poi-previewmappress-settings-form+3 more

HTML Comments

Data Attributes

data-mappressiddata-mappress-optionsdata-mappress-mapiddata-mappress-poiid

JS Globals

Mappressmappress

Shortcode Output

[mappress][mashup]

FAQ