Does Office Locator have any unpatched vulnerabilities?

Yes — Office Locator currently has 2 unpatched vulnerabilities. We recommend switching to an alternative or applying any available workarounds.

Is Office Locator compatible with WordPress 6.7.5?

According to WordPress.org data, Office Locator 1.3.0 has been tested up to WordPress 6.7.5. Check the plugin's changelog for the latest compatibility information.

Is Office Locator compatible with PHP 7.0+?

Office Locator requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Office Locator updated?

Office Locator was last updated on Mar 31, 2025. Frequent updates are generally a positive security signal.

What is Office Locator's security score?

Office Locator has a WP-Safety security score of 44/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Office Locator Security & Risk Analysis

wordpress.org/plugins/office-locator

Looking for a reliable and easy-to-use office locator plugin to enhance your business website? Look no further! Our office locator plugin allows your …

30 active installs v1.3.0 PHP 7.0+ WP 3.0.1+ Updated Mar 31, 2025

find-office-locatorgoogle-mapsoffice-find-locatoroffice-locationsoffice-locator

D · High Risk

CVEs total2

Unpatched2

Last CVEApr 15, 2025

Plugin page Download

Safety Verdict

Is Office Locator Safe to Use in 2026?

High Risk

Score 44/100

Office Locator carries significant security risk with 2 known CVEs, 2 still unpatched. Consider switching to a maintained alternative.

2 known CVEs 2 unpatched Last CVE: Apr 15, 2025Updated 1yr ago

Risk Assessment

The "office-locator" plugin v1.3.0 presents a mixed security posture. While it demonstrates good practices like using prepared statements for all SQL queries and implementing nonce checks on all AJAX handlers, several significant concerns elevate its risk profile. The presence of three AJAX handlers without authentication checks creates a substantial attack surface for unauthorized actions. Furthermore, the plugin has a concerning history of known vulnerabilities, with two unpatched high-severity CVEs, specifically SQL injection and PHP Remote File Inclusion. This history, coupled with the recent nature of the last reported vulnerability (2025), suggests a pattern of recurring security flaws and a lack of timely patching, which is a critical indicator of ongoing security weaknesses.

The static analysis reveals potential issues with unsanitized paths in two taint flows, although they are not classified as critical or high severity. However, the vulnerability history, especially the unpatched SQL injection and PHP RFI, directly relates to common attack vectors. The plugin's overall risk is amplified by these historical issues and the exposed AJAX endpoints, despite some positive coding practices. The conclusion is that while the plugin has some robust security implementations, the unpatched high-severity vulnerabilities and unprotected entry points necessitate immediate attention and mitigation.

Key Concerns

Unpatched High Severity CVEs
Unprotected AJAX handlers
Flows with unsanitized paths
Improper Output Escaping

Vulnerabilities

Office Locator Security Vulnerabilities

CVEs by Year

1 CVE in 2024 · unpatched

2024

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

High

2 total CVEs

CVE-2025-32665high · 7.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Office Locator <= 1.3.0 - Unauthenticated SQL Injection

Apr 15, 2025Unpatched

CVE-2024-52501high · 8.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Office Locator <= 1.3.0 - Authenticated (Contributor+) Local File Inclusion

Nov 20, 2024Unpatched

Code Analysis

Analyzed Mar 16, 2026

Office Locator Code Analysis

Dangerous Functions

Raw SQL Queries

2 prepared

Unescaped Output

146

404 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Select2

SQL Query Safety

100% prepared2 total queries

Output Escaping

73% escaped550 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

7 flows2 with unsanitized paths

import_post_address (admin\includes\class-offices-functions.php:386)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

3 unprotected

Office Locator Attack Surface

Entry Points6

Unprotected3

AJAX Handlers 5

authwp_ajax_import_post_addressadmin\includes\class-offices-functions.php:45

noprivwp_ajax_import_post_addressadmin\includes\class-offices-functions.php:46

authwp_ajax_export_post_addressadmin\includes\class-offices-functions.php:48

authwp_ajax_get_office_locator_storespublic\includes\office-locator-ajax-functions.php:41

noprivwp_ajax_get_office_locator_storespublic\includes\office-locator-ajax-functions.php:42

Shortcodes 1

[office_locator] public\class-public.php:243

WordPress Hooks 21

actionadmin_menuadmin\class-admin.php:43

actionafter_setup_themeadmin\class-admin.php:44

actionadmin_enqueue_scriptsadmin\class-admin.php:45

actionadmin_enqueue_scriptsadmin\class-admin.php:46

actionadmin_print_scriptsadmin\class-field-functions.php:41

filteroffice_locator_settings_navadmin\class-office-locator-custom-setting.php:41

filteroffice_locator_settings_paneladmin\class-office-locator-custom-setting.php:42

filterwt_enqueue_admin_stylesadmin\class-office-locator-custom-setting.php:44

filterwt_enqueue_admin_scriptsadmin\class-office-locator-custom-setting.php:45

actioninitadmin\includes\class-offices-functions.php:41

actionadd_meta_boxesadmin\includes\class-offices-functions.php:42

actionsave_postadmin\includes\class-offices-functions.php:43

actioninitincludes\packages.php:52

actionplugins_loadedincludes\packages.php:222

actionwp_enqueue_scriptspublic\class-public.php:44

actionwp_enqueue_scriptspublic\class-public.php:45

actioninitpublic\class-public.php:46

filterbody_classpublic\class-public.php:47

actionwp_headpublic\class-public.php:48

filtertemplate_includepublic\class-public.php:49

actionafter_setup_themepublic\class-public.php:59

Maintenance & Trust

Office Locator Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5

Last updatedMar 31, 2025

PHP min version7.0

Downloads3K

Community Trust

Rating100/100

Number of ratings2

Active installs30

Alternatives

Office Locator Alternatives

WP Go Maps (formerly WP Google Maps)

wp-google-maps

The easiest to use Google maps plugin! Create a custom Google map, map block, store locator or map widget with high quality markers containing categor …

300K 22 CVEs

iframe

[iframe src="http://www.youtube.com/embed/7_nAZQt9qu0" width="100%" height="500"] shortcode

70K 6 CVEs

WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters

wp-google-map-plugin

WordPress map plugin for Google Maps, OpenStreetMap & Mapbox with store locator, filterable listings & custom markers.

60K 20 CVEs

WP Store Locator

wp-store-locator

An easy to use location management system that enables users to search for nearby physical stores.

50K 1 CVE

API KEY for Google Maps

api-key-for-google-maps

100

Retroactively add Google Maps API KEY to any theme or plugin.

40K 1 CVE

Developer Profile

Office Locator Developer Profile

WebbyTemplate

3 plugins · 30 total installs

trust score

Avg Security Score

81/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Office Locator

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/office-locator/assets/css/fontawesome.css/wp-content/plugins/office-locator/assets/css/select2.min.css/wp-content/plugins/office-locator/assets/css/style.css/wp-content/plugins/office-locator/admin/css/admin-style.css/wp-content/plugins/office-locator/assets/js/office-locator.js/wp-content/plugins/office-locator/assets/js/select2.min.js/wp-content/plugins/office-locator/assets/js/moment.min.js/wp-content/plugins/office-locator/assets/js/flatpickr.min.js+2 more

Script Paths

/wp-content/plugins/office-locator/assets/js/office-locator.js/wp-content/plugins/office-locator/assets/js/select2.min.js/wp-content/plugins/office-locator/assets/js/moment.min.js/wp-content/plugins/office-locator/assets/js/flatpickr.min.js/wp-content/plugins/office-locator/assets/js/tinymce/tinymce.min.js/wp-content/plugins/office-locator/admin/js/admin-script.js

Version Parameters

office-locator/assets/css/fontawesome.css?ver=office-locator/assets/css/select2.min.css?ver=office-locator/assets/css/style.css?ver=office-locator/admin/css/admin-style.css?ver=office-locator/assets/js/office-locator.js?ver=office-locator/assets/js/select2.min.js?ver=office-locator/assets/js/moment.min.js?ver=office-locator/assets/js/flatpickr.min.js?ver=office-locator/assets/js/tinymce/tinymce.min.js?ver=office-locator/admin/js/admin-script.js?ver=

HTML / DOM Fingerprints

CSS Classes

wt-panel-settingsnav-tab-wrapperpanel-wrapperwt-submitalertaction-wrapperdocumentationaction-wrapper reset+7 more

HTML Comments

+16 more

Data Attributes

data-tab="general"data-tab="appearance"data-tab="google_autocomplete"data-tab="import_export"data-tab="export_import"data-nonce="webby_template_plugins"

JS Globals

Office_Locator_SettingsOffice_Locator_AdminOffice_Locatorwt_custom_field_groupOffice_Locator_ActivatorOffice_Locator_Deactivator+2 more

REST Endpoints

/wp-json/office-locator/v1/offices/wp-json/office-locator/v1/settings

Shortcode Output

[office_locator_map][office_locator_list]

FAQ