Tiles Proxy for OpenStreetMap Security & Risk Analysis

wordpress.org/plugins/osm-tiles-proxy

A basic proxy that lets OpenStreetMap plugins load map tiles from your own server instead of OpenStreetMap servers.

200 active installs v2.4.0 PHP 8.0+ WP 6.0+ Updated Mar 27, 2026
embedgdpropenstreetmapproxy
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Safety Verdict

Is Tiles Proxy for OpenStreetMap Safe to Use in 2026?

Generally Safe

Score 100/100

Tiles Proxy for OpenStreetMap has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 3mo ago
Risk Assessment

The "osm-tiles-proxy" plugin v2.3.2 exhibits a mixed security posture. On the positive side, it demonstrates good practices in avoiding dangerous functions, utilizing prepared statements for all SQL queries, and having no recorded vulnerability history. The absence of taint analysis issues and only one external HTTP request are also favorable. However, significant concerns arise from its attack surface. With one unprotected REST API route and zero capability checks, this presents a clear entry point for unauthorized actions. Furthermore, the low percentage of properly escaped output suggests potential for cross-site scripting vulnerabilities, especially when dealing with data that might be reflected in user interfaces.

Key Concerns

  • Unprotected REST API route
  • Zero capability checks
  • Low output escaping percentage
Vulnerabilities
None known

Tiles Proxy for OpenStreetMap Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Tiles Proxy for OpenStreetMap Release Timeline

v2.4.0Current
v2.3.2
v2.3.1
v2.3.0
v2.2.1
v2.1.0
v2.0.1
v1.3.0
Code Analysis
Analyzed Mar 16, 2026

Tiles Proxy for OpenStreetMap Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
4
1 escaped
Nonce Checks
0
Capability Checks
0
File Operations
3
External Requests
1
Bundled Libraries
0

Output Escaping

20% escaped5 total outputs
Attack Surface
1 unprotected

Tiles Proxy for OpenStreetMap Attack Surface

Entry Points1
Unprotected1

REST API Routes 1

GET/wp-json/osm-tiles-proxy/v1/tiles/(?P<s>\w+)/(?P<z>\d+)/(?P<x>\d+)/(?P<y>\d+).pngincludes\osm-tiles-proxy.class.php:47
WordPress Hooks 18
actionrest_api_initincludes\osm-tiles-proxy.class.php:23
actiontemplate_redirectincludes\osm-tiles-proxy.class.php:24
actionwpfc_delete_cacheincludes\osm-tiles-proxy.class.php:26
actionafter_rocket_clean_domainincludes\osm-tiles-proxy.class.php:27
filterosm_tiles_proxy_get_proxy_urlincludes\osm-tiles-proxy.class.php:29
filterosm_tiles_proxy_get_proxy_rest_urlincludes\osm-tiles-proxy.class.php:30
filterosm_tiles_proxy_get_leaflet_js_urlincludes\osm-tiles-proxy.class.php:31
filterosm_tiles_proxy_get_leaflet_css_urlincludes\osm-tiles-proxy.class.php:32
filterosm_tiles_proxy_disable_clear_cacheincludes\osm-tiles-proxy.class.php:34
filterplugin_row_metaincludes\osm-tiles-proxy.class.php:37
actioncustomize_registerincludes\osm-tiles-proxy.customizer-class.php:8
actionleaflet_map_loadedincludes\osm-tiles-proxy.customizer-class.php:9
filterdefault_option_leaflet_map_tile_urlincludes\plugin.leaflet-map.php:10
filterdefault_option_leaflet_js_urlincludes\plugin.leaflet-map.php:14
filterdefault_option_leaflet_css_urlincludes\plugin.leaflet-map.php:18
filterdefault_option_leaflet_map_tile_url_subdomainsincludes\plugin.leaflet-map.php:22
filterdefault_option_leaflet_default_attributionincludes\plugin.leaflet-map.php:26
actionwp_enqueue_scriptsosm-tiles-proxy.php:29
Maintenance & Trust

Tiles Proxy for OpenStreetMap Maintenance & Trust

Maintenance Signals

WordPress version tested7.0
Last updatedMar 27, 2026
PHP min version8.0
Downloads6K

Community Trust

Rating0/100
Number of ratings0
Active installs200
Developer Profile

Tiles Proxy for OpenStreetMap Developer Profile

Adrian Mörchen

3 plugins · 6K total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
669 days
View full developer profile
Detection Fingerprints

How We Detect Tiles Proxy for OpenStreetMap

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/osm-tiles-proxy/assets/customizer-preview.js
Script Paths
/wp-content/plugins/osm-tiles-proxy/assets/customizer-preview.js

HTML / DOM Fingerprints

Data Attributes
data-customize-setting-link="osm_tiles_proxy_min_zoom"data-customize-setting-link="osm_tiles_proxy_max_zoom"data-customize-setting-link="osm_tiles_proxy_min_x"data-customize-setting-link="osm_tiles_proxy_max_x"data-customize-setting-link="osm_tiles_proxy_min_y"data-customize-setting-link="osm_tiles_proxy_max_y"
JS Globals
wp_leaflet_map
REST Endpoints
/wp-json/osm-tiles-proxy/v1/tile
FAQ

Frequently Asked Questions about Tiles Proxy for OpenStreetMap