Does WC – APG City have any unpatched vulnerabilities?

No. All known vulnerabilities in WC – APG City have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is WC – APG City compatible with WordPress 6.9.4?

According to WordPress.org data, WC – APG City 2.0.4 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is WC – APG City updated?

WC – APG City was last updated on Feb 10, 2026. Frequent updates are generally a positive security signal.

What is WC – APG City's security score?

WC – APG City has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WC – APG City Security & Risk Analysis

wordpress.org/plugins/wc-apg-city

Add to WooCommerce an automatic city name generated from postcode.

100 active installs v2.0.4 PHP + WP 5.0+ Updated Feb 10, 2026

citygeonamesgoogle-mapspostcodestate

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is WC – APG City Safe to Use in 2026?

Generally Safe

Score 100/100

WC – APG City has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1mo ago

Risk Assessment

The "wc-apg-city" plugin v2.0.4 exhibits a concerning security posture primarily due to its extensive use of unprotected AJAX handlers. While the code analysis reveals good practices in SQL query preparation and output escaping, the presence of four AJAX handlers without any authentication checks represents a significant attack surface. This means any unauthenticated user could potentially trigger these functions, leading to unintended actions or information disclosure depending on their implementation. The taint analysis shows no critical or high severity unsanitized flows, and the plugin has a clean vulnerability history with no known CVEs, which are positive indicators. However, the lack of capability checks and the reliance on unauthenticated AJAX endpoints overshadow these strengths.

Key Concerns

4 unprotected AJAX handlers
0 capability checks
2 nonce checks (implies missing on others)

Vulnerabilities

None known

WC – APG City Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

WC – APG City Code Analysis

Dangerous Functions

Raw SQL Queries

8 prepared

Unescaped Output

74 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

80% prepared10 total queries

Output Escaping

96% escaped77 total outputs

Data Flows

All sanitized

Data Flow Analysis

3 flows

apg_city_api_lookup (includes\geonames-local.php:418)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

4 unprotected

WC – APG City Attack Surface

Entry Points4

Unprotected4

AJAX Handlers 4

authwp_ajax_apg_city_lookupapg-city.php:56

noprivwp_ajax_apg_city_lookupapg-city.php:57

authwp_ajax_apg_city_api_lookupapg-city.php:58

noprivwp_ajax_apg_city_api_lookupapg-city.php:59

WordPress Hooks 13

filtercron_schedulesapg-city.php:50

actioninitapg-city.php:52

actionbefore_woocommerce_initapg-city.php:65

actionadmin_menuapg-city.php:91

actionadmin_initapg-city.php:146

filterwoocommerce_screen_idsapg-city.php:160

filterwoocommerce_default_address_fieldsapg-city.php:269

actionwp_footerapg-city.php:270

actionwoocommerce_checkout_processapg-city.php:292

actionadmin_noticesapg-city.php:294

filterplugin_row_metaincludes\admin\funciones-apg.php:66

actionadmin_enqueue_scriptsincludes\admin\funciones-apg.php:160

actionenqueue_block_assetsincludes\bloques.php:92

Maintenance & Trust

WC – APG City Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 10, 2026

PHP min version

Downloads8K

Community Trust

Rating94/100

Number of ratings3

Active installs100

Alternatives

WC – APG City Alternatives

Portugal States (Distritos) for WooCommerce

portugal-states-distritos-for-woocommerce

100

This plugin adds the Portuguese “States”, known as “Distritos”, to WooCommerce and sets the correct address format for Portugal.

5K No CVEs

ACF City Selector

acf-city-selector

This plugin adds a new (ACF) field to select a city depending on country and state/province.

200 1 unpatched

Region City Landing Pages Builder

region-city-landing-pages-builder

Build Multiple Geographically Targeted Landing Pages Quickly Using Generic Text & Automatically Inserted City Names.

100 No CVEs

City & Zip Based Shipping Rate for WooCommerce

city-zip-based-shipping-rate-for-woocommerce

100

Flexible WooCommerce shipping by City or ZIP/Postcode — charge fixed, weight-based, quantity or subtotal delivery fees for accurate pricing.

30 No CVEs

USA Zip Codes by WP Monsters

add-zip-codes-to-posts

Choose USA zip codes for your post types.

10 No CVEs

Developer Profile

WC – APG City Developer Profile

Art Project Group

9 plugins · 19K total installs

trust score

Avg Security Score

95/100

Avg Patch Time

258 days

View full developer profile

Detection Fingerprints

How We Detect WC – APG City

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wc-apg-city/assets/js/apg-city-campo.js/wp-content/plugins/wc-apg-city/assets/css/apg-cigy-classic.css

Script Paths

/wp-content/plugins/wc-apg-city/assets/js/apg-city-campo.js

Version Parameters

wc-apg-city/assets/js/apg-city-campo.js?ver=wc-apg-city/assets/css/apg-cigy-classic.css?ver=

HTML / DOM Fingerprints

CSS Classes

apg-city-campo-readonly

HTML Comments

Data Attributes

readonlydata-readonly-color

JS Globals

apg_city_data

REST Endpoints

/wp-json/apg-city/v1/lookup/wp-json/apg-city/v1/api-lookup

FAQ