Does String locator have any unpatched vulnerabilities?

No. All known vulnerabilities in String locator have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is String locator compatible with WordPress 6.7.5?

According to WordPress.org data, String locator 2.6.7 has been tested up to WordPress 6.7.5. Check the plugin's changelog for the latest compatibility information.

How often is String locator updated?

String locator was last updated on Jan 15, 2025. Frequent updates are generally a positive security signal.

What is String locator's security score?

String locator has a WP-Safety security score of 87/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

String locator Security & Risk Analysis

wordpress.org/plugins/string-locator

Find and edit code or texts in your themes and plugins

100K active installs v2.6.7 PHP + WP 4.9+ Updated Jan 15, 2025

findhighlightsearchsyntaxtext

A · Safe

CVEs total4

Unpatched0

Last CVEJan 20, 2025

Plugin page Download

Safety Verdict

Is String locator Safe to Use in 2026?

Generally Safe

Score 87/100

String locator has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Jan 20, 2025Updated 1yr ago

Risk Assessment

The 'string-locator' v2.6.7 plugin exhibits a mixed security posture. On the positive side, the plugin has a very small attack surface, with only one AJAX handler and no exposed REST API routes, shortcodes, or cron events. The vast majority of its SQL queries utilize prepared statements, and a high percentage of its output is properly escaped, indicating good practices in these areas. Additionally, it has a strong presence of capability checks and nonce checks, which are crucial for securing WordPress functionalities.

However, several red flags warrant caution. The presence of the 'unserialize' function is a known risky function that can lead to deserialization vulnerabilities if not handled with extreme care. Taint analysis revealed flows with unsanitized paths, including one of high severity, which could potentially be exploited for path traversal or other file manipulation attacks. The plugin's vulnerability history is also concerning, with four previously disclosed CVEs, including two high and two medium severity vulnerabilities. The common types of these historical vulnerabilities (XSS, Deserialization, Path Traversal) directly align with the potential risks identified in the static and taint analysis, suggesting a pattern of recurring security weaknesses.

In conclusion, while the plugin implements some robust security measures like capability checks and prepared statements, the identified risks from 'unserialize' usage and unsanitized paths, coupled with a history of significant past vulnerabilities, suggest a moderate to high-risk profile. The recurrence of certain vulnerability types indicates that historical issues may not have been fully remediated or that underlying insecure coding patterns persist. Users should exercise caution and ensure this plugin is updated to the latest version if available, as the last vulnerability was in early 2025, implying it might be a future vulnerability or that a patch exists for a past issue that isn't reflected in the 'currently unpatched' count.

Key Concerns

High severity taint flow found
Flows with unsanitized paths found
Dangerous function 'unserialize' present
High severity historical vulnerabilities (2)
Medium severity historical vulnerabilities (2)
Vulnerability history indicates recurring risks

Vulnerabilities

String locator Security Vulnerabilities

CVEs by Year

2 CVEs in 2022

2022

1 CVE in 2024

2024

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

High

Medium

4 total CVEs

CVE-2024-10936high · 8.8Deserialization of Untrusted Data

String Locator <= 2.6.6 - Unauthenticated PHP Object Injection

Jan 20, 2025 Patched in 2.6.7 (1d)

CVE-2023-6987medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

String Locator <= 2.6.5 - Reflected Cross-Site Scripting

Aug 23, 2024 Patched in 2.6.6 (1d)

CVE-2022-2434high · 8.8Deserialization of Untrusted Data

String Locator <= 2.5.0 - Cross-Site Request Forgery to PHAR Deserialization

Aug 8, 2022 Patched in 2.6.0 (533d)

CVE-2022-0493medium · 4.9Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

String Locator <= 2.4.2 - Authenticated Arbitrary File Read

Mar 1, 2022 Patched in 2.5.0 (693d)

Code Analysis

Analyzed Mar 16, 2026

String locator Code Analysis

Dangerous Functions

Raw SQL Queries

17 prepared

Unescaped Output

124 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$unserialized = @unserialize( $data, array( 'allowed_classes' => false ) );includes\Extension\SearchReplace\Replace\class-sql.php:173

unserialize$test_data = @unserialize( $this->content );includes\Extension\SQL\Tests\class-serialized-data.php:121

SQL Query Safety

89% prepared19 total queries

Output Escaping

90% escaped138 total outputs

Data Flows

4 unsanitized

Data Flow Analysis

7 flows4 with unsanitized paths

save (includes\class-save.php:29)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

String locator Attack Surface

Entry Points1

Unprotected0

AJAX Handlers 1

authwp_ajax_install_activate_pluginincludes\Extension\SearchReplace\class-replace.php:25

WordPress Hooks 34

actionrest_api_initincludes\Base\class-rest.php:21

actionstring_locator_search_templatesincludes\Base\class-search.php:58

filteradmin_body_classincludes\class-string-locator.php:60

actionadmin_menuincludes\class-string-locator.php:62

actionnetwork_admin_menuincludes\class-string-locator.php:63

actionadmin_enqueue_scriptsincludes\class-string-locator.php:65

actionplugins_loadedincludes\class-string-locator.php:67

filterplugin_row_metaincludes\class-string-locator.php:69

filterstring_locator_search_sources_markupincludes\class-string-locator.php:71

actionstring_locator_search_templatesincludes\class-string-locator.php:73

actionstring_locator_editor_sidebar_before_checksincludes\class-string-locator.php:74

actionstring_locator_search_results_tablenav_controlsincludes\Extension\SearchReplace\class-replace.php:17

actionstring_locator_search_results_tablenav_controlsincludes\Extension\SearchReplace\class-replace.php:18

actionstring_locator_instawp_tablenav_controlsincludes\Extension\SearchReplace\class-replace.php:19

actionadmin_enqueue_scriptsincludes\Extension\SearchReplace\class-replace.php:21

actionstring_locator_search_templatesincludes\Extension\SearchReplace\class-replace.php:23

filterstring_locator_viewincludes\Extension\SQL\class-edit.php:19

filteradmin_body_classincludes\Extension\SQL\class-edit.php:21

filterstring_locator_editor_fieldsincludes\Extension\SQL\class-edit.php:22

filterstring_locator_save_paramsincludes\Extension\SQL\class-save.php:16

filterstring_locator_save_handlerincludes\Extension\SQL\class-save.php:17

filterstring_locator_search_sources_markupincludes\Extension\SQL\class-search.php:17

filterstring_locator_search_handlerincludes\Extension\SQL\class-search.php:19

filterstring_locator_directory_iterator_short_circuitincludes\Extension\SQL\class-search.php:20

filterstring_locator_restore_search_rowincludes\Extension\SQL\class-search.php:22

actionstring_locator_editor_checksincludes\Extension\SQL\Tests\class-serialized-data.php:31

filterstring_locator_pre_saveincludes\Extension\SQL\Tests\class-serialized-data.php:33

filterstring_locator_pre_save_fail_noticeincludes\Extension\SQL\Tests\class-serialized-data.php:34

actionstring_locator_editor_checksincludes\Tests\class-loopback.php:24

filterstring_locator_post_saveincludes\Tests\class-loopback.php:26

filterstring_locator_post_save_fail_noticeincludes\Tests\class-loopback.php:27

actionstring_locator_editor_checksincludes\Tests\class-smart-scan.php:25

filterstring_locator_pre_saveincludes\Tests\class-smart-scan.php:27

filterstring_locator_pre_save_fail_noticeincludes\Tests\class-smart-scan.php:28

Maintenance & Trust

String locator Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5

Last updatedJan 15, 2025

PHP min version

Downloads1.4M

Community Trust

Rating92/100

Number of ratings123

Active installs100K

Alternatives

String locator Alternatives

HTML Editor Syntax Highlighter

html-editor-syntax-highlighter

Add syntax highlighting to WordPress code editors using CodeMirror.js

50K No CVEs

Real-Time Find and Replace

real-time-find-and-replace

Set up find and replace rules that are executed AFTER a page is generated by WordPress, but BEFORE it is sent to a user's browser.

80K 2 CVEs

SyntaxHighlighter Evolved

syntaxhighlighter

Easily post syntax-highlighted code to your site without having to modify the code at all. As seen on WordPress.com.

20K 3 CVEs

Code Block Pro – Beautiful Syntax Highlighting

code-block-pro

100

Code highlighting powered by the VS Code engine. Performance focused. No bloat.

10K No CVEs

Enlighter – Customizable Syntax Highlighter

enlighter

All-in-one Syntax Highlighting solution. Full Gutenberg and Classic Editor integration. Graphical theme customizer. Based on EnlighterJS.

10K No CVEs

Developer Profile

String locator Developer Profile

InstaWP

2 plugins · 130K total installs

trust score

Avg Security Score

82/100

Avg Patch Time

80 days

View full developer profile

Detection Fingerprints

How We Detect String locator

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/string-locator/assets/css/string-locator-editor.css/wp-content/plugins/string-locator/assets/css/string-locator-search-results.css/wp-content/plugins/string-locator/assets/css/string-locator-settings.css/wp-content/plugins/string-locator/assets/js/string-locator-editor.js/wp-content/plugins/string-locator/assets/js/string-locator-search-results.js/wp-content/plugins/string-locator/assets/js/string-locator-settings.js/wp-content/plugins/string-locator/assets/js/string-locator-search-options.js

Script Paths

/wp-content/plugins/string-locator/assets/js/string-locator-editor.js/wp-content/plugins/string-locator/assets/js/string-locator-search-results.js/wp-content/plugins/string-locator/assets/js/string-locator-settings.js/wp-content/plugins/string-locator/assets/js/string-locator-search-options.js

Version Parameters

string-locator/assets/css/string-locator-editor.css?ver=string-locator/assets/css/string-locator-search-results.css?ver=string-locator/assets/css/string-locator-settings.css?ver=string-locator/assets/js/string-locator-editor.js?ver=string-locator/assets/js/string-locator-search-results.js?ver=string-locator/assets/js/string-locator-settings.js?ver=string-locator/assets/js/string-locator-search-options.js?ver=

HTML / DOM Fingerprints

CSS Classes

sl-editor__containersl-editor__mainsl-editor__settingssl-editor__sidebarsl-search-results__containersl-search-results__mainsl-search-results__paginationsl-search-results__toolbar+3 more

HTML Comments

Data Attributes

data-string-locator-editordata-string-locator-search-resultsdata-string-locator-settingsdata-string-locator-search-options

JS Globals

string_locator_editorstring_locator_search_resultsstring_locator_settingsstring_locator_search_options

REST Endpoints

/wp-json/string-locator/v1/save/wp-json/string-locator/v1/clean/wp-json/string-locator/v1/search/wp-json/string-locator/v1/directory-structure/wp-json/string-locator/v1/replace

Shortcode Output

<optgroup label="Core"><option value="core">The whole WordPress directory</option><option value="wp-content">Everything under wp-content</option></optgroup>

FAQ