Does User IP and Location have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is User IP and Location compatible with WordPress 6.8.5?

According to WordPress.org data, User IP and Location 4.0.2 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is User IP and Location compatible with PHP 7.2+?

User IP and Location requires PHP 7.2 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is User IP and Location updated?

User IP and Location was last updated on Jul 15, 2025. Frequent updates are generally a positive security signal.

What is User IP and Location's security score?

User IP and Location has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

User IP and Location Security & Risk Analysis

wordpress.org/plugins/user-ip-and-location

Want to show your website visitors their IP address, location, and other cool details? This plugin makes it super easy! Now works perfectly with cachi …

3K active installs v4.0.2 PHP 7.2+ WP 5.0+ Updated Jul 15, 2025

country-codegeolocationregionuser-ip-addressuser-location

A · Safe

CVEs total1

Unpatched0

Last CVEApr 28, 2023

Plugin page Download

Safety Verdict

Is User IP and Location Safe to Use in 2026?

Generally Safe

Score 100/100

User IP and Location has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

1 known CVELast CVE: Apr 28, 2023Updated 10mo ago

Risk Assessment

The 'user-ip-and-location' plugin version 4.0.2 presents a generally good security posture, with strong adherence to secure coding practices such as 100% use of prepared statements for SQL queries and a high percentage of properly escaped output. The absence of dangerous functions, file operations, and critical or high severity taint flows is commendable. However, there are specific areas that warrant attention. The presence of one unprotected REST API route represents a significant attack vector, as it could potentially be exploited without proper authentication. The vulnerability history, while not indicating currently unpatched critical issues, does show a past medium severity Cross-Site Scripting (XSS) vulnerability, which suggests the need for ongoing vigilance and thorough code reviews to prevent recurrence. Overall, the plugin demonstrates a solid foundation but requires careful monitoring and a focus on securing all entry points.

Key Concerns

Unprotected REST API route found
Past medium severity XSS vulnerability
Flow with unsanitized paths in taint analysis

Vulnerabilities

1 published

User IP and Location Security Vulnerabilities

CVEs by Year

1 CVE in 2023

2023

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2023-30780medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

User IP and Location <= 2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Apr 28, 2023 Patched in 2.2.1 (270d)

Version History

User IP and Location Release Timeline

v4.0.1

v3.2

v3.1

Code Analysis

Analyzed Mar 16, 2026

User IP and Location Code Analysis

Dangerous Functions

Raw SQL Queries

2 prepared

Unescaped Output

52 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared2 total queries

Output Escaping

90% escaped58 total outputs

Data Flows · Security

1 unsanitized

Data Flow Analysis

3 flows1 with unsanitized paths

<class-user-ip-location> (includes\class-user-ip-location.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

User IP and Location Attack Surface

Entry Points8

Unprotected1

AJAX Handlers 1

authwp_ajax_user_ip_location_dismiss_cache_noticeincludes\functions-developer.php:285

REST API Routes 2

GET/wp-json/user-ip/v1/locationincludes\functions-developer.php:29

GET/wp-json/user-ip/v1/dataincludes\functions-developer.php:38

Shortcodes 5

[userip_location] inc\user-ip-functions.php:98

[userip_location] includes\functions-shortcodes.php:81

[userip_localtime] includes\functions-shortcodes.php:93

[userip_localdate] includes\functions-shortcodes.php:105

[userip_conditional] includes\functions-shortcodes.php:153

WordPress Hooks 14

actionadmin_menuadmin\class-admin-settings.php:33

actionadmin_initadmin\class-admin-settings.php:34

actionadmin_menuadmin\user-ip-menu.php:13

actionrest_api_initincludes\functions-developer.php:44

actioninitincludes\functions-developer.php:70

filterlitespeed_cache_rest_api_excludeincludes\functions-developer.php:163

filterw3tc_cache_page_excludeincludes\functions-developer.php:172

filterrocket_cache_reject_uriincludes\functions-developer.php:181

filterwp_super_cache_exclude_uriincludes\functions-developer.php:190

filterflying_press_cache_exclude_urlsincludes\functions-developer.php:199

actioninitincludes\functions-developer.php:206

actionadmin_noticesincludes\functions-developer.php:263

actionwp_enqueue_scriptsincludes\functions-shortcodes.php:29

actionadmin_noticesuser-ip-and-location.php:60

Maintenance & Trust

User IP and Location Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedJul 15, 2025

PHP min version7.2

Downloads38K

Community Trust

Rating84/100

Number of ratings9

Active installs3K

Alternatives

User IP and Location Alternatives

GeoLooks – User IP & Location Finder

geolooks

100

Short Description: Display visitor IP address and location details using a shortcode.

0 No CVEs

Geo Controller

cf-geoplugin

Enhance your WordPress site with Geo Controller – a comprehensive plugin offering advanced location-based features and personalized content delivery.

1K 1 unpatched

User Location and IP

user-location-and-ip

100

User Location and IP is a free shortcode based Wordpress plugin that displays real-time information about your users, including their IP address, loca …

400 1 CVE

Show Visitor IP

show-visitor-ip

100

Show Visitor IP - Simply display visitor IP Address & visitor another location info using by IP on post or page, anywhere using shortcode.

300 No CVEs

Phone Country Autodetect for Forminator

phone-country-autodetect-for-forminator

100

Automatically detects the user's country and pre-fills Forminator's phone field with the correct international calling code. Uses ipapi.

40 No CVEs

Developer Profile

User IP and Location Developer Profile

Sunny Kumar

1 plugin · 3K total installs

trust score

Avg Security Score

100/100

Avg Patch Time

270 days

View full developer profile

Detection Fingerprints

How We Detect User IP and Location

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/user-ip-and-location/assets/js/user-ip-location.js

Script Paths

/wp-content/plugins/user-ip-and-location/assets/js/user-ip-location.js

Version Parameters

user-ip-and-location/assets/js/user-ip-location.js?ver=

HTML / DOM Fingerprints

CSS Classes

user-ip-placeholderuser-ip-conditional

Data Attributes

data-typedata-heightdata-widthdata-vertical-aligndata-conditions

JS Globals

userIpLocationData

REST Endpoints

/wp-json/user-ip/v1/data

Shortcode Output

<span class="user-ip-placeholder"<div class="user-ip-conditional"

FAQ