WP-Safety

Treweler Map Builder Security & Risk Analysis

wordpress.org/plugins/treweler-map-builder

The Treweler plugin is a multifunction map builder. Its purpose is to help you create an interactive map for your personal or business project.

80 active installs v1.02 PHP 7.2+ WP 5.7+ Updated Unknown
interactive-mapmapmap-markersmapboxtravel-map
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Treweler Map Builder Safe to Use in 2026?

Generally Safe

Score 100/100

Treweler Map Builder has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs
Risk Assessment

The 'treweler-map-builder' plugin v1.02 exhibits a mixed security posture. On the positive side, it demonstrates strong practices in SQL query handling, utilizing prepared statements exclusively, and a significant majority of its output is properly escaped. The absence of known CVEs and a clean vulnerability history are also encouraging indicators. However, there are notable concerns regarding its attack surface. The plugin exposes three AJAX handlers, two of which lack authentication checks. This, combined with two unsanitized taint flows, presents potential entry points for malicious actors. The use of 'unserialize' without apparent sanitization in the code signals a potential risk for deserialization vulnerabilities, especially if untrusted data is passed to it. While the current vulnerability history is clean, the presence of these code-level weaknesses suggests that future vulnerabilities are possible if not addressed. Overall, the plugin has strengths in its data handling but requires attention to its access control and potential deserialization risks.

Key Concerns

  • Unprotected AJAX handlers
  • Unsanitized taint flows found
  • Use of 'unserialize' dangerous function
  • Bundled libraries (Select2, Guzzle)
Vulnerabilities
None known

Treweler Map Builder Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Treweler Map Builder Code Analysis

Dangerous Functions
9
Raw SQL Queries
0
17 prepared
Unescaped Output
485
1716 escaped
Nonce Checks
2
Capability Checks
6
File Operations
0
External Requests
1
Bundled Libraries
2

Dangerous Functions Found

unserialize$map_ll = isset( $post_meta_old["_treweler_map_latlng"] ) ? unserialize( $post_meta_old["_treweler_mincludes\admin\meta-boxes\class-twer-meta-box-map-settings.php:246
unserialize$marker_ll = isset( $cust["_treweler_marker_latlng"] ) ? unserialize( $cust["_treweler_marker_latlngincludes\admin\views\html-marker-settings-panel.php:67
unserialize$marker_ll = isset( $cust["_treweler_marker_latlng"] ) ? unserialize( $cust["_treweler_marker_latlngincludes\admin\views\html-marker-template-settings-panel.php:30
unserialize$_treweler_map_initial_point = unserialize( $newMapSettingsData );includes\class-twer-map-free.php:202
unserialize$_treweler_map_zoom = unserialize( $newMapSettingsDataZoom );includes\class-twer-map-free.php:203
unserialize$latlng = unserialize( $meta['_treweler_map_latlng'][0] );includes\class-twer-map-free.php:207
unserialize$_treweler_map_zoom = unserialize( $newMapSettingsDataZoom );includes\class-twer-map-free.php:2165
unserialize$latlng = unserialize( $meta['_treweler_map_latlng'][0] );templates\page-map.php:84
unserialize$_treweler_map_initial_point = unserialize( $meta['_treweler_map_initial_point'][0] );templates\page-map.php:86

Bundled Libraries

Select2Guzzle

SQL Query Safety

100% prepared17 total queries

Output Escaping

78% escaped2201 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

3 flows2 with unsanitized paths
content_653a1d0b0b7b79_75961364 (includes\admin\views\templates_c\80982de7ca6725e0dfbc4f659d0c7e729a9332a4_0.file.fields.tpl.php:24)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

Treweler Map Builder Attack Surface

Entry Points3
Unprotected2

AJAX Handlers 3

authwp_ajax_treweler_get_admin_tokenincludes\admin\class-twer-admin.php:29
authwp_ajax_treweler_add_colorpicker_custom_colorincludes\admin\class-twer-admin.php:30
authwp_ajax_twer_sto_update_taxonomy_orderincludes\admin\tax-order\twer-custom-taxonomy-order.php:46
WordPress Hooks 85
actionadmin_enqueue_scriptsincludes\admin\class-twer-admin-assets.php:24
actionadmin_enqueue_scriptsincludes\admin\class-twer-admin-assets.php:25
actionadmin_footerincludes\admin\class-twer-admin-assets.php:26
actionadmin_headincludes\admin\class-twer-admin-assets.php:27
actionadmin_enqueue_scriptsincludes\admin\class-twer-admin-assets.php:29
actionadd_meta_boxesincludes\admin\class-twer-admin-meta-boxes.php:51
actionadd_meta_boxesincludes\admin\class-twer-admin-meta-boxes.php:52
actionsave_postincludes\admin\class-twer-admin-meta-boxes.php:53
actioncurrent_screenincludes\admin\class-twer-admin-post-types.php:32
actioncheck_ajax_refererincludes\admin\class-twer-admin-post-types.php:33
actionedit_form_topincludes\admin\class-twer-admin-post-types.php:36
actionedit_form_after_titleincludes\admin\class-twer-admin-post-types.php:37
filterenter_title_hereincludes\admin\class-twer-admin-post-types.php:38
filterdefault_hidden_meta_boxesincludes\admin\class-twer-admin-post-types.php:39
filterpost_updated_messagesincludes\admin\class-twer-admin-post-types.php:42
filterbulk_post_updated_messagesincludes\admin\class-twer-admin-post-types.php:43
actioninitincludes\admin\class-twer-admin.php:25
actionadmin_initincludes\admin\class-twer-admin.php:26
actionadmin_menuincludes\admin\class-twer-admin.php:34
actionadmin_menuincludes\admin\class-twer-admin.php:35
actionadmin_menuincludes\admin\class-twer-admin.php:36
filtercustom_menu_orderincludes\admin\class-twer-admin.php:37
actionadmin_menuincludes\admin\class-twer-admin.php:41
actionadmin_menuincludes\admin\class-twer-admin.php:42
filteradmin_body_classincludes\admin\class-twer-admin.php:46
filterview_mode_post_typesincludes\admin\list-tables\abstract-class-twer-admin-list-table.php:41
actionrestrict_manage_postsincludes\admin\list-tables\abstract-class-twer-admin-list-table.php:42
filterdefault_hidden_columnsincludes\admin\list-tables\abstract-class-twer-admin-list-table.php:43
filterpost_row_actionsincludes\admin\list-tables\abstract-class-twer-admin-list-table.php:47
filterlist_table_primary_columnincludes\admin\list-tables\abstract-class-twer-admin-list-table.php:48
filtertreweler_admin_route_details_style_fieldsincludes\admin\meta-boxes\class-twer-meta-box-route-details.php:111
filtertreweler_admin_route_details_importGPX_fieldsincludes\admin\meta-boxes\class-twer-meta-box-route-details.php:112
actionadmin_headincludes\admin\tax-order\twer-custom-taxonomy-order.php:44
actioninitincludes\admin\tax-order\twer-custom-taxonomy-order.php:45
filterterms_clausesincludes\admin\tax-order\twer-custom-taxonomy-order.php:78
filterterms_clausesincludes\admin\tax-order\twer-custom-taxonomy-order.php:91
actionplugins_loadedincludes\class-treweler.php:156
actionafter_setup_themeincludes\class-treweler.php:157
actionafter_setup_themeincludes\class-treweler.php:158
actioninitincludes\class-treweler.php:159
actioninitincludes\class-treweler.php:160
actioninitincludes\class-twer-ajax.php:20
actiontemplate_redirectincludes\class-twer-ajax.php:21
filternocache_headersincludes\class-twer-cache-helper.php:26
actionshutdownincludes\class-twer-cache-helper.php:27
actionadmin_noticesincludes\class-twer-cache-helper.php:28
actiondelete_version_transientsincludes\class-twer-cache-helper.php:29
actionclean_term_cacheincludes\class-twer-cache-helper.php:30
actionedit_termsincludes\class-twer-cache-helper.php:31
actionwp_enqueue_scriptsincludes\class-twer-frontend-scripts.php:45
actionwp_print_scriptsincludes\class-twer-frontend-scripts.php:47
actionwp_print_footer_scriptsincludes\class-twer-frontend-scripts.php:48
actioninitincludes\class-twer-install.php:22
actioninitincludes\class-twer-post-types.php:21
actioninitincludes\class-twer-post-types.php:22
actionrestrict_manage_postsincludes\class-twer-post-types.php:23
filterterm_updated_messagesincludes\class-twer-post-types.php:24
actionparse_queryincludes\class-twer-post-types.php:25
actionsave_postincludes\class-twer-post-types.php:26
actiontreweler_after_register_post_typeincludes\class-twer-post-types.php:27
actiontreweler_flush_rewrite_rulesincludes\class-twer-post-types.php:28
filtergutenberg_can_edit_post_typeincludes\class-twer-post-types.php:29
filteruse_block_editor_for_post_typeincludes\class-twer-post-types.php:30
filterthe_contentincludes\class-twer-shortcodes.php:28
actionrestrict_manage_postsincludes\class-twer-taxonomy.php:20
actioninitincludes\class-twer-taxonomy.php:21
filterparse_queryincludes\class-twer-taxonomy.php:23
actionsave_post_markerincludes\class-twer-taxonomy.php:25
actionsave_post_routeincludes\class-twer-taxonomy.php:26
actiondelete_termincludes\class-twer-taxonomy.php:27
filtertemplate_includeincludes\class-twer-template-loader.php:19
actioninitincludes\class-twer-template-loader.php:185
actionadmin_footerincludes\twer-core-functions.php:1297
filterwp_untrash_post_statusincludes\twer-core-functions.php:1923
filterbody_classincludes\twer-template-hooks.php:13
filterget_the_generator_htmlincludes\twer-template-hooks.php:20
filterget_the_generator_xhtmlincludes\twer-template-hooks.php:21
actiontwer_before_main_contentincludes\twer-template-hooks.php:29
actiontwer_after_main_contentincludes\twer-template-hooks.php:30
actiontwer_left_sidebar_mapincludes\twer-template-hooks.php:36
actiontwer_map_elements_templatesincludes\twer-template-hooks.php:42
actiontwer_map_elements_templatesincludes\twer-template-hooks.php:43
actiontwer_map_elements_templatesincludes\twer-template-hooks.php:44
actiontwer_extended_store_locator_bodyincludes\twer-template-hooks.php:50
actiontwerBodyOpenincludes\twer-template-hooks.php:56

Scheduled Events 1

delete_version_transients
Maintenance & Trust

Treweler Map Builder Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedUnknown
PHP min version7.2
Downloads4K

Community Trust

Rating100/100
Number of ratings1
Active installs80
Alternatives

Treweler Map Builder Alternatives

MapGeo – Interactive Geo Maps

MapGeo – Interactive Geo Maps

interactive-geo-maps

A
97

Create interactive vector maps of the world, continents, any country in the world and specific regions, including individual US state county maps.

40K 3 CVEs
Open User Map

Open User Map

open-user-map

A
96

Engage your visitors with an interactive map – let them add markers instantly or create a custom map showcasing your favorite spots.

10K 3 CVEs
Mapster WP Maps

Mapster WP Maps

mapster-wp-maps

A
95

Mapster WP Maps is the smoothest, easiest way to make maps for your site. No API keys required.

3K 4 CVEs
WP Mapbox GL JS Maps

WP Mapbox GL JS Maps

wp-mapbox-gl-js

C
63

NOTE: This plugin has been deprecated and is no longer supported. Please see our latest plugin, Mapster WP Maps, for a more up-to-date and maintained …

1K 1 unpatched
Store Locations Map

Store Locations Map

store-locations-map

A
100

Display an interactive map of store locations using shortcodes. Easily add customizable markers, titles, images, descriptions, and links to your posts

0 No CVEs
Developer Profile

Treweler Map Builder Developer Profile

Aisconverse

1 plugin · 80 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Treweler Map Builder

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/treweler-map-builder/assets/css/treweler-free.css/wp-content/plugins/treweler-map-builder/assets/css/treweler-admin-new.css/wp-content/plugins/treweler-map-builder/assets/css/treweler-admin-markers.css/wp-content/plugins/treweler-map-builder/assets/css/treweler-admin.css/wp-content/plugins/treweler-map-builder/assets/js/treweler-mapbox.js/wp-content/plugins/treweler-map-builder/assets/js/treweler-helpers.js/wp-content/plugins/treweler-map-builder/assets/js/treweler-script.js
Script Paths
https://api.mapbox.com/mapbox-gl-js/v3.0.0-beta.5/mapbox-gl.jshttps://api.mapbox.com/mapbox-gl-js/plugins/mapbox-gl-geocoder/v5.0.0/mapbox-gl-geocoder.min.jshttps://api.mapbox.com/mapbox-gl-js/plugins/mapbox-gl-draw/v1.4.2/mapbox-gl-draw.js
Version Parameters
treweler-map-builder/assets/css/treweler-free.css?ver=treweler-map-builder/assets/css/treweler-admin-new.css?ver=treweler-map-builder/assets/css/treweler-admin-markers.css?ver=treweler-map-builder/assets/css/treweler-admin.css?ver=treweler-map-builder/assets/js/treweler-mapbox.js?ver=treweler-map-builder/assets/js/treweler-helpers.js?ver=treweler-map-builder/assets/js/treweler-script.js?ver=

HTML / DOM Fingerprints

CSS Classes
twer-hidden-wp-editor
Data Attributes
data-slug="treweler"
JS Globals
TWERTWER_IS_FREETWER_VERSION
FAQ

Frequently Asked Questions about Treweler Map Builder