WP-Safety

Simple Location Security & Risk Analysis

wordpress.org/plugins/simple-location

Adds geographic location and weather support to WordPress.

300 active installs v5.0.24 PHP 7.4+ WP 6.2+ Updated Feb 25, 2026
geogeolocationlocationmapstimezones
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Simple Location Safe to Use in 2026?

Generally Safe

Score 100/100

Simple Location has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1mo ago
Risk Assessment

The simple-location plugin version 5.0.24 exhibits a mixed security posture. On the positive side, it demonstrates good practices in several areas. Notably, all detected SQL queries utilize prepared statements, and a very high percentage (97%) of output is properly escaped, minimizing risks of cross-site scripting (XSS). The absence of dangerous functions and the absence of recorded vulnerabilities in its history suggest a generally well-maintained codebase. However, a significant concern arises from the substantial attack surface exposed through its REST API. All nine REST API routes lack permission callbacks, meaning any unauthenticated user can potentially interact with these endpoints, posing a serious risk if these endpoints handle sensitive data or functionality. While taint analysis did not reveal immediate critical issues, the large number of unprotected REST API endpoints represents a significant potential vector for future vulnerabilities if not addressed. The plugin's history of no CVEs is encouraging, but the current lack of authentication on a large portion of its attack surface is a pressing concern that overshadows the otherwise positive code signals.

Key Concerns

  • REST API routes without permission callbacks
  • High number of total unprotected entry points
  • Low nonce checks relative to entry points
Vulnerabilities
None known

Simple Location Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Simple Location Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
15
414 escaped
Nonce Checks
5
Capability Checks
27
File Operations
2
External Requests
15
Bundled Libraries
0

Output Escaping

97% escaped429 total outputs
Data Flows
All sanitized

Data Flow Analysis

5 flows
geo_posts_dropdown (includes\class-geo-base.php:456)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
9 unprotected

Simple Location Attack Surface

Entry Points9
Unprotected9

REST API Routes 9

GET/wp-json/sloc_geo/1.0/userincludes\class-rest-geo.php:68
GET/wp-json/sloc_geo/1.0/timezoneincludes\class-rest-geo.php:107
GET/wp-json/sloc_geo/1.0/airportincludes\class-rest-geo.php:129
GET/wp-json/sloc_geo/1.0/geocodeincludes\class-rest-geo.php:154
GET/wp-json/sloc_geo/1.0/elevationincludes\class-rest-geo.php:196
GET/wp-json/sloc_geo/1.0/venueincludes\class-rest-geo.php:224
GET/wp-json/sloc_geo/1.0/weatherincludes\class-rest-geo.php:251
GET/wp-json/sloc_geo/1.0/lookupincludes\class-rest-geo.php:282
GET/wp-json/sloc_geo/1.0/mapincludes\class-rest-geo.php:296
WordPress Hooks 113
actionadmin_initincludes\class-elevation-provider.php:44
actioninitincludes\class-elevation-provider.php:45
actioninitincludes\class-geo-base.php:8
actionadmin_initincludes\class-geo-base.php:9
filterjetpack_tools_to_includeincludes\class-geo-base.php:12
filterquery_varsincludes\class-geo-base.php:30
filtertemplate_includeincludes\class-geo-base.php:31
actionrss2_nsincludes\class-geo-base.php:35
actionatom_nsincludes\class-geo-base.php:36
actionrdf_nsincludes\class-geo-base.php:37
actionrss_itemincludes\class-geo-base.php:39
actionrss2_itemincludes\class-geo-base.php:40
actionatom_entryincludes\class-geo-base.php:41
actionrdf_itemincludes\class-geo-base.php:42
actionjson_feed_itemincludes\class-geo-base.php:43
actionwp_headincludes\class-geo-base.php:44
actionrest_api_initincludes\class-geo-base.php:46
actionrestrict_manage_postsincludes\class-geo-base.php:54
actionrestrict_manage_commentsincludes\class-geo-base.php:55
filterbulk_actions-edit-postincludes\class-geo-base.php:57
filterhandle_bulk_actions-edit-postincludes\class-geo-base.php:58
actionadmin_noticesincludes\class-geo-base.php:59
filterrest_prepare_postincludes\class-geo-base.php:61
filterrest_prepare_commentincludes\class-geo-base.php:62
filterrest_prepare_userincludes\class-geo-base.php:63
filtermap_meta_capincludes\class-geo-base.php:65
actionadmin_enqueue_scriptsincludes\class-geo-base.php:67
actionsave_postincludes\class-geo-base.php:68
actionsave_postincludes\class-geo-base.php:69
actionedit_attachmentincludes\class-geo-base.php:70
actionedit_commentincludes\class-geo-base.php:71
actionshow_user_profileincludes\class-geo-base.php:72
actionedit_user_profileincludes\class-geo-base.php:73
actionpersonal_options_updateincludes\class-geo-base.php:74
actionedit_user_profile_updateincludes\class-geo-base.php:75
actionadd_meta_boxesincludes\class-geo-base.php:85
actioninitincludes\class-geo-data.php:10
actionpre_get_postsincludes\class-geo-data.php:44
actionpre_get_postsincludes\class-geo-data.php:45
actionpre_get_commentsincludes\class-geo-data.php:46
filterget_comment_textincludes\class-geo-data.php:48
filterthe_contentincludes\class-geo-data.php:49
filterthe_contentincludes\class-geo-data.php:51
actionadmin_initincludes\class-geo-provider.php:80
actioninitincludes\class-geo-provider.php:81
filteradmin_initincludes\class-loc-config.php:8
filterplugins_loadedincludes\class-loc-config.php:9
actionadmin_menuincludes\class-loc-config.php:10
actionadmin_enqueue_scriptsincludes\class-loc-config.php:79
actioninitincludes\class-loc-timezone.php:3
filterget_the_dateincludes\class-loc-timezone.php:7
filterget_the_timeincludes\class-loc-timezone.php:8
filterget_the_modified_dateincludes\class-loc-timezone.php:9
filterget_the_modified_timeincludes\class-loc-timezone.php:10
filterget_comment_dateincludes\class-loc-timezone.php:11
filterget_comment_timeincludes\class-loc-timezone.php:12
filterpost_date_column_timeincludes\class-loc-timezone.php:13
actionsimple_location_sideboxincludes\class-loc-timezone.php:14
actionsave_postincludes\class-loc-timezone.php:15
actionafter_micropubincludes\class-loc-timezone.php:16
filterrest_prepare_postincludes\class-loc-timezone.php:17
filterrest_prepare_commentincludes\class-loc-timezone.php:18
filterbefore_micropubincludes\class-location-plugins.php:21
actionafter_micropubincludes\class-location-plugins.php:22
filtermicropub_queryincludes\class-location-plugins.php:23
filterwebmention_handler_mf2_set_propertiesincludes\class-location-plugins.php:24
actioninitincludes\class-location-taxonomy.php:10
actionlocation_add_form_fieldsincludes\class-location-taxonomy.php:20
actionlocation_edit_form_fieldsincludes\class-location-taxonomy.php:21
actioncreated_locationincludes\class-location-taxonomy.php:22
actionedited_locationincludes\class-location-taxonomy.php:23
actionlocation_pre_add_formincludes\class-location-taxonomy.php:24
actionpre_get_postsincludes\class-location-taxonomy.php:25
filtermanage_location_custom_columnincludes\class-location-taxonomy.php:26
filtermanage_edit-location_columnsincludes\class-location-taxonomy.php:27
filtertaxonomy_parent_dropdown_argsincludes\class-location-taxonomy.php:28
actionadmin_menuincludes\class-location-taxonomy.php:29
actionrestrict_manage_postsincludes\class-location-taxonomy.php:30
filterget_the_archive_titleincludes\class-location-taxonomy.php:32
filterget_pages_query_argsincludes\class-location-taxonomy.php:33
actioninitincludes\class-map-provider.php:149
actionadmin_initincludes\class-map-provider.php:150
actioninitincludes\class-post-venue.php:9
filtermanage_venue_posts_columnsincludes\class-post-venue.php:178
filtermanage_venue_posts_columnsincludes\class-post-venue.php:179
filtermanage_venue_posts_columnsincludes\class-post-venue.php:180
actionmanage_venue_posts_custom_columnincludes\class-post-venue.php:181
actionmanage_venue_posts_custom_columnincludes\class-post-venue.php:182
actionrestrict_manage_postsincludes\class-post-venue.php:185
filterbulk_actions-edit-venueincludes\class-post-venue.php:187
filterhandle_bulk_actions-edit-venueincludes\class-post-venue.php:188
actionadmin_noticesincludes\class-post-venue.php:189
actionpre_get_postsincludes\class-post-venue.php:190
actionrest_api_initincludes\class-rest-geo.php:18
actioninitincludes\class-sloc-media-metadata.php:10
filterwp_read_image_metadataincludes\class-sloc-media-metadata.php:30
filterwp_read_image_metadataincludes\class-sloc-media-metadata.php:32
filterwp_generate_attachment_metadataincludes\class-sloc-media-metadata.php:35
filterattachment_fields_to_editincludes\class-sloc-media-metadata.php:36
actionattachment_submitbox_misc_actionsincludes\class-sloc-media-metadata.php:37
actionadmin_initincludes\class-venue-provider.php:70
actioninitincludes\class-venue-provider.php:71
actioninitincludes\class-weather-data.php:10
actionsimple_location_sideboxincludes\class-weather-data.php:61
actionadmin_initincludes\class-weather-provider.php:77
actioninitincludes\class-weather-provider.php:78
filteruser_contactmethodsincludes\location\class-location-provider-compass.php:23
actionplugins_loadedsimple-location.php:20
actioninitsimple-location.php:21
actionupgrader_process_completesimple-location.php:26
actionwp_enqueue_scriptssimple-location.php:203
actionadmin_initsimple-location.php:209
actionwidgets_initsimple-location.php:254
Maintenance & Trust

Simple Location Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedFeb 25, 2026
PHP min version7.4
Downloads59K

Community Trust

Rating92/100
Number of ratings8
Active installs300
Alternatives

Simple Location Alternatives

Track Geolocation Of Users Using Contact Form 7

Track Geolocation Of Users Using Contact Form 7

track-geolocation-of-users-using-contact-form-7

A
100

Track Geolocation Of Users Using Contact Form 7 allows you to get geolocation information with their form submission.

800 1 CVE
Simple Fields Map extension

Simple Fields Map extension

simple-fields-map-extension

A
85

Extension to Simple Fields that adds a field type for selecting a location on a Google Map.

100 No CVEs
Stellar Places

Stellar Places

stellar-places

A
85

Easily create, manage and display locations in a way that makes sense.

100 No CVEs
Quick Maps

Quick Maps

quick-maps

A
100

The easiest Google Maps integration for your Wordpress website [quick-maps]Orlando, Florida[/quick-maps] - No Google API required.

40 No CVEs
BuddyPress Maps

BuddyPress Maps

buddypress-maps

A
85

BuddyPress Maps is a component that allows to find and display location markers on a Google Map.

10 No CVEs
Developer Profile

Simple Location Developer Profile

David Shanske

5 plugins · 720 total installs

77
trust score
Avg Security Score
97/100
Avg Patch Time
3177 days
View full developer profile
Detection Fingerprints

How We Detect Simple Location

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/simple-location/assets/js/simple-location.js/wp-content/plugins/simple-location/assets/css/simple-location.css
Script Paths
/wp-content/plugins/simple-location/assets/js/simple-location.js
Version Parameters
simple-location/assets/js/simple-location.js?ver=simple-location/assets/css/simple-location.css?ver=

HTML / DOM Fingerprints

CSS Classes
sloc-location-displaysloc-map-canvas
HTML Comments
<!-- wp:simple-location/location --><!-- /wp:simple-location/location --><!-- wp:simple-location/map --><!-- /wp:simple-location/map -->
Data Attributes
data-sloc-iddata-sloc-latdata-sloc-lngdata-sloc-zoomdata-sloc-map-type
JS Globals
window.simpleLocationvar slocInitMap
REST Endpoints
/wp-json/simple-location/v1/locations/wp-json/simple-location/v1/geocode
Shortcode Output
[simple_location][simple_location_map]
FAQ

Frequently Asked Questions about Simple Location