WP-Safety

ShMapper by Teplitsa Security & Risk Analysis

wordpress.org/plugins/shmapper-by-teplitsa

shMapper is a plugin, that allows you to create simple crowdsourcing maps based on OpenStreetMap and Yandex.Maps.

100 active installs v1.5.1 PHP 7.4+ WP 5.0+ Updated Jan 14, 2025
crowdsourcingmapopenstreetmaposmyandex-map
91
A · Safe
CVEs total2
Unpatched0
Last CVEJan 24, 2025
Plugin page Download
Safety Verdict

Is ShMapper by Teplitsa Safe to Use in 2026?

Generally Safe

Score 91/100

ShMapper by Teplitsa has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Jan 24, 2025Updated 1yr ago
Risk Assessment

The "shmapper-by-teplitsa" plugin v1.5.1 presents a mixed security posture. While it demonstrates good practices in using prepared statements for a majority of its SQL queries and properly escaping most output, significant concerns arise from its attack surface. A substantial portion of its entry points, specifically 7 out of 11, lack authentication checks, making them vulnerable to unauthorized access and manipulation. Furthermore, the presence of 3 flows with unsanitized paths, although not classified as critical or high severity by the taint analysis, warrants attention as it suggests potential avenues for input injection vulnerabilities.

The plugin's vulnerability history is a notable weakness. With 2 known medium severity CVEs, both instances of Cross-site Scripting (XSS), it indicates a recurring pattern of input sanitization issues. The fact that the last vulnerability was recorded in early 2025, even though the current version might be older, suggests that past vulnerabilities may not have been adequately addressed or that the underlying code structure remains susceptible. The absence of unpatched vulnerabilities is a positive sign, but the history itself points to a need for more robust security development practices.

In conclusion, "shmapper-by-teplitsa" v1.5.1 has strengths in its SQL and output handling but suffers from critical weaknesses in its attack surface and a concerning history of XSS vulnerabilities. The unprotected AJAX handlers and unsanitized paths are immediate risks that require mitigation. The recurring XSS vulnerabilities, even if currently patched, highlight an ongoing risk that could resurface with future code changes. A proactive approach to hardening the input validation and authorization mechanisms is recommended.

Key Concerns

  • AJAX handlers without auth checks
  • Flows with unsanitized paths
  • Medium severity CVEs (XSS)
  • Low number of nonce checks
  • Low number of capability checks
Vulnerabilities
2

ShMapper by Teplitsa Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2025-24674medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ShMapper by Teplitsa <= 1.5.0 - Authenticated (Editor+) Stored Cross-Site Scripting

Jan 24, 2025 Patched in 1.5.1 (5d)
CVE-2024-12518medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

shMapper by Teplitsa <= 1.4.18 - Authenticated (Contributor+) Stored Cross-Site Scripting

Dec 23, 2024 Patched in 1.5.0 (1d)
Code Analysis
Analyzed Mar 16, 2026

ShMapper by Teplitsa Code Analysis

Dangerous Functions
0
Raw SQL Queries
7
14 prepared
Unescaped Output
42
309 escaped
Nonce Checks
2
Capability Checks
3
File Operations
7
External Requests
0
Bundled Libraries
0

SQL Query Safety

67% prepared21 total queries

Output Escaping

88% escaped351 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

9 flows3 with unsanitized paths
shm_before_insert_request (class\ShMaperTrack.class.php:466)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
7 unprotected

ShMapper by Teplitsa Attack Surface

Entry Points11
Unprotected7

AJAX Handlers 7

noprivwp_ajax_myajaxclass\ShMapper_ajax.class.php:26
authwp_ajax_myajaxclass\ShMapper_ajax.class.php:27
authwp_ajax_myajax-adminclass\ShMapper_ajax.class.php:28
noprivwp_ajax_shm_set_reqclass\ShMapper_ajax.class.php:30
authwp_ajax_shm_set_reqclass\ShMapper_ajax.class.php:31
authwp_ajax_shm_set_req-adminclass\ShMapper_ajax.class.php:32
authwp_ajax_save_bulk_editclass\SMC_Post.php:379

Shortcodes 4

[shmMap] class\ShMapper.class.php:222
[shmMapFeed] class\ShMapperDrive.class.php:72
[shmMapTrack] class\ShMapperTracks.class.php:44
[shmMap] shortcode\shm_shortcodes.php:10
WordPress Hooks 84
filteradmin_footer_textclass\ShmAdminPage.class.php:13
actioninitclass\ShMaperTrack.class.php:9
filtershm_admin_elementclass\ShMaperTrack.class.php:10
filtershmapper_get_form_fild_typesclass\ShMaperTrack.class.php:11
filtershmapper_front_form_elementclass\ShMaperTrack.class.php:12
filtershmapper_form_after_fieldsclass\ShMaperTrack.class.php:13
filtersmc-post-admin-editclass\ShMaperTrack.class.php:14
filtersmc_post_fill_views_columnclass\ShMaperTrack.class.php:15
filtershm_before_insert_requestclass\ShMaperTrack.class.php:16
filterthe_contentclass\ShMaperTrack.class.php:17
actionbefore_delete_postclass\ShMaperTrack.class.php:18
actiondelete_postclass\ShMaperTrack.class.php:19
actiondeleted_postclass\ShMaperTrack.class.php:20
actionafter_delete_postclass\ShMaperTrack.class.php:21
actioninitclass\ShMapper.class.php:77
actionwp_headclass\ShMapper.class.php:78
filtersmc_add_post_typesclass\ShMapper.class.php:79
actionadmin_menuclass\ShMapper.class.php:80
actionadmin_menuclass\ShMapper.class.php:81
actionadmin_enqueue_scriptsclass\ShMapper.class.php:82
actionwp_enqueue_scriptsclass\ShMapper.class.php:83
actionadmin_footerclass\ShMapper.class.php:84
actionwp_before_admin_bar_renderclass\ShMapper.class.php:85
actioninitclass\ShMapperDrive.class.php:62
actionwp_enqueue_scriptsclass\ShMapperDrive.class.php:63
actionadmin_enqueue_scriptsclass\ShMapperDrive.class.php:64
filtershmapper_adminclass\ShMapperDrive.class.php:65
filtersmc_add_post_typesclass\ShMapperDrive.class.php:66
actionshm_ajax_submitclass\ShMapperDrive_ajax.class.php:14
actioninitclass\ShMapperPointMessage.class.php:7
filtershmapper_driver_feed_afterclass\ShMapperPointMessage.class.php:8
actioninitclass\ShMapperRequest.class.php:12
actionbefore_delete_postclass\ShMapperRequest.class.php:13
actionadmin_menuclass\ShMapperRequest.class.php:14
actioninitclass\ShMapperTracks.class.php:30
filtersmc_add_post_typesclass\ShMapperTracks.class.php:31
actionwp_enqueue_scriptsclass\ShMapperTracks.class.php:32
actionadmin_enqueue_scriptsclass\ShMapperTracks.class.php:33
filtershm_vocclass\ShMapperTracks.class.php:34
filtershm_vocabularyclass\ShMapperTracks.class.php:35
filtershm_shortcode_argsclass\ShMapperTracks.class.php:36
filtershm_after_front_mapclass\ShMapperTracks.class.php:37
filterupload_mimesclass\ShMapperTracks.class.php:39
filtershm_ajax_dataclass\ShMapperTracksAjax.class.php:7
actioninitclass\ShMapperTracksPoint.class.php:12
filtershm_after_request_formclass\ShMapper_Assistants.class.php:19
filtershm_after_request_formclass\ShMapper_Assistants.class.php:20
filterparse_queryclass\ShMapper_Assistants.class.php:21
actionrestrict_manage_postsclass\ShMapper_Assistants.class.php:22
actioninitclass\ShMapPointType.class.php:12
actionparent_fileclass\ShMapPointType.class.php:13
actionadmin_menuclass\ShMapPointType.class.php:14
actionbefore_delete_postclass\ShMapPointType.class.php:21
actioninitclass\ShMapTrackType.class.php:11
actionparent_fileclass\ShMapTrackType.class.php:12
actionadmin_menuclass\ShMapTrackType.class.php:13
actioninitclass\ShmMap.class.php:32
actionadmin_menuclass\ShmMap.class.php:33
actionadmin_menuclass\ShmMap.class.php:34
actionadmin_menuclass\ShmMap.class.php:35
filterthe_contentclass\ShmMap.class.php:36
filterpost_row_actionsclass\ShmMap.class.php:37
actionsmc_before_doubled_postclass\ShmMap.class.php:38
actionsmc_after_doubled_postclass\ShmMap.class.php:39
actioninitclass\ShmPoint.class.php:13
actionadmin_menuclass\ShmPoint.class.php:14
actionbulk_edit_custom_boxclass\ShmPoint.class.php:16
actionshmapper_bulk_beforeclass\ShmPoint.class.php:17
filterthe_contentclass\ShmPoint.class.php:18
filtersmc_add_optionclass\SMC_Object_type.php:14
actionadmin_menuclass\SMC_Post.php:364
filterpre_get_postsclass\SMC_Post.php:371
actionbulk_edit_custom_boxclass\SMC_Post.php:377
actionenqueue_block_editor_assetsinc\editor\blocks-assets.php:47
filterblock_categories_allinc\editor\blocks-category.php:25
actioninitinc\editor\blocks.php:10
filteruse_block_editor_for_post_typeinc\shm-functions.php:127
filterupload_mimesinc\shm-functions.php:137
filterload_textdomain_mofileshmapper.php:75
actioninitshmapper.php:117
actioninitshmapper.php:127
actioninitshmapperTracks.plugin.php:40
actioninitwidget\ShMap.widget.php:14
actionwidgets_initwidget\ShMap.widget.php:101
Maintenance & Trust

ShMapper by Teplitsa Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedJan 14, 2025
PHP min version7.4
Downloads7K

Community Trust

Rating100/100
Number of ratings5
Active installs100
Alternatives

ShMapper by Teplitsa Alternatives

OSM – OpenStreetMap

OSM – OpenStreetMap

osm

A
92

Customize maps in your post, pages and widgets. GPX, KML and more. The easy way to map!

10K 7 CVEs
WP Open Street Map

WP Open Street Map

wp-open-street-map

A
100

Create easily maps with OpenStreetMap

3K 1 CVE
ACF OpenStreetMap Field into a Block

ACF OpenStreetMap Field into a Block

acf-openstreetmap-field-block

A
85

Very simple plugin that adds an OpenStreetMap ACF block to the WordPress block editor.

10 No CVEs
MapBBCode for WordPress

MapBBCode for WordPress

mapbb

A
85

MapBB-shortcodes [map] for Leaflet based maps.

10 No CVEs
WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters

WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters

wp-google-map-plugin

A
88

WordPress map plugin for Google Maps, OpenStreetMap & Mapbox with store locator, filterable listings & custom markers.

60K 21 CVEs
Developer Profile

ShMapper by Teplitsa Developer Profile

Denis Cherniatev

1 plugin · 100 total installs

94
trust score
Avg Security Score
91/100
Avg Patch Time
3 days
View full developer profile
Detection Fingerprints

How We Detect ShMapper by Teplitsa

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/shmapper-by-teplitsa/css/shmapper.css/wp-content/plugins/shmapper-by-teplitsa/js/shmapper.js/wp-content/plugins/shmapper-by-teplitsa/js/shmapper.map.js/wp-content/plugins/shmapper-by-teplitsa/js/shmapper.admin.js/wp-content/plugins/shmapper-by-teplitsa/css/shm.css/wp-content/plugins/shmapper-by-teplitsa/css/shm.map.css/wp-content/plugins/shmapper-by-teplitsa/css/shm.admin.css
Script Paths
/wp-content/plugins/shmapper-by-teplitsa/js/shmapper.js/wp-content/plugins/shmapper-by-teplitsa/js/shmapper.map.js/wp-content/plugins/shmapper-by-teplitsa/js/shmapper.admin.js
Version Parameters
shmapper-by-teplitsa/css/shmapper.css?ver=shmapper-by-teplitsa/js/shmapper.js?ver=shmapper-by-teplitsa/js/shmapper.map.js?ver=shmapper-by-teplitsa/js/shmapper.admin.js?ver=shmapper-by-teplitsa/css/shm.css?ver=shmapper-by-teplitsa/css/shm.map.css?ver=shmapper-by-teplitsa/css/shm.admin.css?ver=

HTML / DOM Fingerprints

CSS Classes
shm-map-wrappershm-point-mapshmapper-request-formshmapper-request-form-submitshm_map_containershm-admin-page-wrapper
Data Attributes
data-shm-map-iddata-shm-point-iddata-shmapper-request-form-id
JS Globals
shmapper_ajax_object
Shortcode Output
[shm_map][shm_request]
FAQ

Frequently Asked Questions about ShMapper by Teplitsa