Does Open User Map have any unpatched vulnerabilities?

No. All known vulnerabilities in Open User Map have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Open User Map compatible with WordPress 6.9.4?

According to WordPress.org data, Open User Map 1.4.34 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Open User Map compatible with PHP 7.0+?

Open User Map requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Open User Map updated?

Open User Map was last updated on Mar 13, 2026. Frequent updates are generally a positive security signal.

What is Open User Map's security score?

Open User Map has a WP-Safety security score of 96/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Open User Map Security & Risk Analysis

wordpress.org/plugins/open-user-map

Engage your visitors with an interactive map – let them add markers instantly or create a custom map showcasing your favorite spots.

10K active installs v1.4.34 PHP 7.0+ WP 5.5+ Updated Mar 13, 2026

interactive-mapleafletmapmapboxpins

A · Safe

CVEs total3

Unpatched0

Last CVEFeb 16, 2026

Plugin page Download

Safety Verdict

Is Open User Map Safe to Use in 2026?

Generally Safe

Score 96/100

Open User Map has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Feb 16, 2026Updated 21d ago

Risk Assessment

The open-user-map plugin v1.4.34 presents a mixed security posture. While it demonstrates some good practices, such as a high percentage of SQL queries using prepared statements and a decent number of capability checks, significant concerns arise from the static analysis. The presence of 14 AJAX handlers, with 3 lacking authentication checks, creates a substantial attack surface that could be exploited without proper user authorization. Furthermore, the taint analysis reveals 4 flows with unsanitized paths, although thankfully none are flagged as critical or high severity, this still represents a potential risk of path traversal vulnerabilities if these flows are not properly handled in conjunction with other security controls. The plugin's vulnerability history shows 3 medium-severity CVEs, specifically related to Path Traversal and Cross-site Scripting. While there are currently no unpatched CVEs, the recurring nature of these vulnerability types suggests a potential weakness in input sanitization and output escaping that needs ongoing vigilance and remediation. The last reported vulnerability in 2026 is also an anomaly that requires further investigation, but assuming it represents a historical event, the recurring nature of past issues is the primary concern.

Key Concerns

Unprotected AJAX handlers
Flows with unsanitized paths
Medium severity CVEs historically
Low percentage of properly escaped output
Bundled outdated library (Freemius v1.0)

Vulnerabilities

Open User Map Security Vulnerabilities

CVEs by Year

1 CVE in 2023

2023

1 CVE in 2025

2025

1 CVE in 2026

2026

Patched Has unpatched

Severity Breakdown

Medium

3 total CVEs

CVE-2025-68002medium · 6.5Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Open User Map <= 1.4.16 - Authenticated (Subscriber+) Arbitrary File Download

Feb 16, 2026 Patched in 1.4.17 (10d)

CVE-2025-57953medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Open User Map <= 1.4.14 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 22, 2025 Patched in 1.4.15 (11d)

CVE-2023-45056medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Open User Map | Everybody can add locations <= 1.3.26 - Authenticated (Administrator+) Stored Cross-Site Scripting

Oct 3, 2023 Patched in 1.3.27 (112d)

Code Analysis

Analyzed Mar 16, 2026

Open User Map Code Analysis

Dangerous Functions

Raw SQL Queries

12 prepared

Unescaped Output

758

696 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Freemius1.0

SQL Query Safety

80% prepared15 total queries

Output Escaping

48% escaped1454 total outputs

Data Flows

4 unsanitized

Data Flow Analysis

5 flows4 with unsanitized paths

csv_import (inc\Pages\Settings.php:807)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

3 unprotected

Open User Map Attack Surface

Entry Points16

Unprotected3

AJAX Handlers 14

noprivwp_ajax_oum_add_location_from_frontendinc\Base\BaseController.php:657

authwp_ajax_oum_add_location_from_frontendinc\Base\BaseController.php:658

authwp_ajax_oum_toggle_voteinc\Base\BaseController.php:661

noprivwp_ajax_oum_toggle_voteinc\Base\BaseController.php:662

authwp_ajax_oum_get_vote_countinc\Base\BaseController.php:664

noprivwp_ajax_oum_get_vote_countinc\Base\BaseController.php:665

authwp_ajax_oum_refresh_location_nonceinc\Base\BaseController.php:667

noprivwp_ajax_oum_refresh_location_nonceinc\Base\BaseController.php:668

authwp_ajax_oum_check_edit_permissioninc\Base\LocationController.php:37

noprivwp_ajax_oum_check_edit_permissioninc\Base\LocationController.php:38

authwp_ajax_oum_dismiss_getting_started_noticeinc\Pages\Settings.php:16

authwp_ajax_oum_dismiss_update_noticeinc\Pages\Settings.php:18

authwp_ajax_oum_csv_exportinc\Pages\Settings.php:19

authwp_ajax_oum_csv_importinc\Pages\Settings.php:20

Shortcodes 2

[open-user-map] inc\Pages\Frontend.php:119

[open-user-map-form] inc\Pages\Frontend.php:121

WordPress Hooks 65

actionelementor/initelementor\includes\plugin.php:84

actionelementor/widgets/registerelementor\includes\plugin.php:204

actionelementor/controls/registerelementor\includes\plugin.php:205

filterscript_loader_taginc\Base\BaseController.php:137

filterscript_loader_taginc\Base\BaseController.php:195

filterscript_loader_taginc\Base\BaseController.php:235

actioninitinc\Base\BaseController.php:617

actiontransition_post_statusinc\Base\BaseController.php:618

actionoum_fs_loadedinc\Base\BaseController.php:625

actioninitinc\Base\BlockController.php:14

actionplugins_loadedinc\Base\BlockController.php:17

actionadmin_enqueue_scriptsinc\Base\Enqueue.php:23

actionadmin_enqueue_scriptsinc\Base\Enqueue.php:26

actionwp_enqueue_scriptsinc\Base\Enqueue.php:29

actionwp_enqueue_scriptsinc\Base\Enqueue.php:32

actionwp_headinc\Base\Enqueue.php:38

actioninitinc\Base\LocationController.php:14

actionadmin_initinc\Base\LocationController.php:15

actionadd_meta_boxesinc\Base\LocationController.php:16

actionsave_postinc\Base\LocationController.php:17

actionmanage_oum-location_posts_columnsinc\Base\LocationController.php:18

actionmanage_oum-location_posts_custom_columninc\Base\LocationController.php:19

filtermanage_oum-location_posts_sortable_columnsinc\Base\LocationController.php:26

actionpre_get_postsinc\Base\LocationController.php:27

actionadmin_menuinc\Base\LocationController.php:28

filterpost_thumbnail_htmlinc\Base\LocationController.php:29

filterthe_contentinc\Base\LocationController.php:35

filterposts_joininc\Base\LocationController.php:632

filterposts_searchinc\Base\LocationController.php:645

filterposts_whereinc\Base\LocationController.php:667

filterposts_groupbyinc\Base\LocationController.php:675

filterwp_should_output_buffer_template_for_enhancementinc\Base\OptOutFromTemplateEnhancement.php:54

actioninitinc\Base\TaxController.php:15

actionoum-region_add_form_fieldsinc\Base\TaxController.php:16

actionoum-region_edit_form_fieldsinc\Base\TaxController.php:17

actionedited_oum-regioninc\Base\TaxController.php:23

actioncreate_oum-regioninc\Base\TaxController.php:24

actionmanage_edit-oum-region_columnsinc\Base\TaxController.php:25

actionmanage_oum-region_custom_columninc\Base\TaxController.php:26

actionwpinc\Pages\Frontend.php:17

actioninitinc\Pages\Frontend.php:19

actionwp_footerinc\Pages\Frontend.php:22

actionwp_footerinc\Pages\Frontend.php:25

actionwp_footerinc\Pages\Frontend.php:27

actionwp_footerinc\Pages\Frontend.php:31

filterscript_loader_taginc\Pages\Frontend.php:123

filteraioseo_disable_shortcode_parsinginc\Pages\Frontend.php:173

filterslim_seo_skipped_shortcodesinc\Pages\Frontend.php:175

filterslim_seo_skipped_blocksinc\Pages\Frontend.php:184

actioninitinc\Pages\Settings.php:11

actionadmin_menuinc\Pages\Settings.php:12

actionadmin_initinc\Pages\Settings.php:13

actionadmin_initinc\Pages\Settings.php:14

actionadmin_noticesinc\Pages\Settings.php:15

actionadmin_noticesinc\Pages\Settings.php:17

actionupdate_optioninc\Pages\Settings.php:23

actionupdate_option_oum_enable_single_pageinc\Pages\Settings.php:30

filterwp_redirectinc\Pages\Settings.php:36

actionadmin_body_classinc\Pages\Settings.php:447

filterpricing/show_annual_in_monthlyopen-user-map.php:78

actionafter_uninstallopen-user-map.php:90

actionconnect/beforeopen-user-map.php:92

actionconnect/afteropen-user-map.php:106

actioninitopen-user-map.php:196

actionadmin_menuopen-user-map.php:199

Maintenance & Trust

Open User Map Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 13, 2026

PHP min version7.0

Downloads280K

Community Trust

Rating100/100

Number of ratings64

Active installs10K

Alternatives

Open User Map Alternatives

Mapster WP Maps

mapster-wp-maps

Mapster WP Maps is the smoothest, easiest way to make maps for your site. No API keys required.

3K 4 CVEs

WP Mapbox GL JS Maps

wp-mapbox-gl-js

NOTE: This plugin has been deprecated and is no longer supported. Please see our latest plugin, Mapster WP Maps, for a more up-to-date and maintained …

1K 1 unpatched

Treweler Map Builder

treweler-map-builder

100

The Treweler plugin is a multifunction map builder. Its purpose is to help you create an interactive map for your personal or business project.

80 No CVEs

Your Current Location On Map

your-current-location-on-map

Displays your current location in map with accuracy. Your Current Location On Map plugin is very easy to use,mobile friendly,responsive.

20 No CVEs

OSMaps

osmaps

100

Plugin to view free road maps.

10 No CVEs

Developer Profile

Open User Map Developer Profile

100plugins

3 plugins · 10K total installs

trust score

Avg Security Score

93/100

Avg Patch Time

44 days

View full developer profile

Detection Fingerprints

How We Detect Open User Map

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/open-user-map/assets/js/backend/admin.js/wp-content/plugins/open-user-map/assets/js/frontend.js/wp-content/plugins/open-user-map/assets/css/admin.css/wp-content/plugins/open-user-map/assets/css/frontend.css/wp-content/plugins/open-user-map/assets/css/leaflet.css/wp-content/plugins/open-user-map/assets/css/markercluster.css/wp-content/plugins/open-user-map/assets/js/leaflet.js/wp-content/plugins/open-user-map/assets/js/markercluster.js

Script Paths

Version Parameters

open-user-map/assets/js/backend/admin.js?ver=open-user-map/assets/js/frontend.js?ver=open-user-map/assets/css/admin.css?ver=open-user-map/assets/css/frontend.css?ver=open-user-map/assets/css/leaflet.css?ver=open-user-map/assets/css/markercluster.css?ver=open-user-map/assets/js/leaflet.js?ver=open-user-map/assets/js/markercluster.js?ver=

HTML / DOM Fingerprints

CSS Classes

oum-wizardoum-wizard .herooum-wizard .hero .logooum-wizard .hero .overlineoum-wizard .hero h1oum-wizard .hero .stepsoum-wizard .hero .steps lioum-wizard .step-content

HTML Comments

FREEMIUS INTEGRATION CODE+11 more

Data Attributes

data-freemius-slug="open-user-map"data-freemius-type="plugin"data-freemius-id="9083"

JS Globals

oum_fs

REST Endpoints

/wp-json/open-user-map/v1/location

FAQ