WP-Safety

Weather Atlas Widget Security & Risk Analysis

wordpress.org/plugins/weather-atlas

The Weather Widget with the Most Active Installations. Highly customizable, simple & beautiful. Detailed current weather, hourly & daily forecasts

9K active installs v3.0.4 PHP + WP 4.0+ Updated Jul 4, 2025
forecastlocationweatherweather-atlasweather-widget
99
A · Safe
CVEs total2
Unpatched0
Last CVENov 18, 2024
Plugin page Download
Safety Verdict

Is Weather Atlas Widget Safe to Use in 2026?

Generally Safe

Score 99/100

Weather Atlas Widget has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Nov 18, 2024Updated 9mo ago
Risk Assessment

The "weather-atlas" v3.0.4 plugin exhibits a mixed security posture. While it demonstrates good practices in areas like SQL query preparation and has no currently unpatched CVEs, there are significant concerns stemming from its attack surface and output escaping. The presence of one unprotected REST API route is a critical vulnerability, as it provides an entry point for attackers without proper authentication. Additionally, the low percentage (22%) of properly escaped outputs suggests a high likelihood of Cross-Site Scripting (XSS) vulnerabilities, which are also reflected in its vulnerability history. The use of `unserialize` is a red flag, as it can lead to remote code execution if not handled with extreme caution and proper validation. The plugin's history of medium severity XSS vulnerabilities reinforces the concern about inadequate output sanitization.

While the plugin has a reasonable number of capability checks and nonce checks, and its SQL queries are largely prepared, the identified unprotected REST API route and the widespread issue with output escaping present immediate and substantial risks. The lack of critical or high severity taint flows is positive, but the potential for XSS due to poor escaping remains a pressing issue. The plugin's strength lies in its relatively clean history of unpatched vulnerabilities and its use of prepared SQL statements, but these are overshadowed by the direct attack vectors and potential for data injection through unescaped output.

Key Concerns

  • REST API route without permission callback
  • Low percentage of properly escaped output
  • Dangerous function: unserialize
  • Medium severity vulnerabilities in history (XSS)
Vulnerabilities
2

Weather Atlas Widget Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2024-52472medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Weather Atlas Widget <= 3.0.3 - Unauthenticated Cross-Site Scripting

Nov 18, 2024 Patched in 3.04 (233d)
CVE-2023-5163medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Weather Atlas Widget <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Oct 29, 2023 Patched in 2.0.0 (86d)
Code Analysis
Analyzed Mar 16, 2026

Weather Atlas Widget Code Analysis

Dangerous Functions
1
Raw SQL Queries
1
6 prepared
Unescaped Output
498
140 escaped
Nonce Checks
2
Capability Checks
3
File Operations
0
External Requests
1
Bundled Libraries
0

Dangerous Functions Found

unserializeupdate_option( $new_widget_id, unserialize( $example ) );admin\class-weather-atlas-admin.php:296

SQL Query Safety

86% prepared7 total queries

Output Escaping

22% escaped638 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

2 flows1 with unsanitized paths
<weather-atlas-widget> (admin\weather-atlas-widget.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Weather Atlas Widget Attack Surface

Entry Points2
Unprotected1

REST API Routes 1

GET/wp-json/weather-atlas/v1/widgetsblock\class-weather-atlas-rest-api.php:17

Shortcodes 1

[shortcode-weather-atlas] includes\class-weather-atlas.php:1063
WordPress Hooks 11
actionadmin_menuadmin\class-weather-atlas-admin.php:51
actionadmin_initadmin\class-weather-atlas-admin.php:57
filterplugin_action_links_weather-atlas/weather-atlas.phpadmin\class-weather-atlas-admin.php:314
actionrest_api_initblock\class-weather-atlas-rest-api.php:8
actioninitincludes\class-weather-atlas.php:100
actionplugins_loadedincludes\class-weather-atlas.php:163
actionadmin_enqueue_scriptsincludes\class-weather-atlas.php:176
actionadmin_enqueue_scriptsincludes\class-weather-atlas.php:177
actionwp_enqueue_scriptsincludes\class-weather-atlas.php:190
actionwp_enqueue_scriptsincludes\class-weather-atlas.php:191
actionwidgets_initincludes\class-weather-atlas.php:217
Maintenance & Trust

Weather Atlas Widget Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedJul 4, 2025
PHP min version
Downloads179K

Community Trust

Rating82/100
Number of ratings41
Active installs9K
Alternatives

Weather Atlas Widget Alternatives

Free Weather

Free Weather

free-weather

A
100

Add a free 6-day weather forecast widget to your site. Clean design, accurate data — perfect for blogs, news, or travel websites.

300 No CVEs
Australian Weather Widget – WillyWeather

Australian Weather Widget – WillyWeather

australian-weather-widget-willyweather

A
85

Australian weather widgets for Wordpress, with the latest data sourced from the Bureau of Meteorology (BoM). Custom designs to suit any website.

200 No CVEs
US Weather Widget – WillyWeather

US Weather Widget – WillyWeather

us-weather-widget-willyweather

A
85

US weather widgets for Wordpress, with the latest data sourced from NOAA. Custom designs to suit any website.

200 No CVEs
Weather Forecast Widget

Weather Forecast Widget

weather-forecast-widget

A
100

"Weather Forecast Widget" displays current weather and hourly/daily forecasts in a widget using a shortcode.

200 No CVEs
Visual Crossing Weather Forecast – Real-Time Weather & Forecast Widget

Visual Crossing Weather Forecast – Real-Time Weather & Forecast Widget

visualcrossing-weather-forecast

A
92

Display professional, real-time weather forecasts and conditions from Visual Crossing Weather API anywhere on your WordPress website.

50 No CVEs
Developer Profile

Weather Atlas Widget Developer Profile

Weather Atlas

1 plugin · 9K total installs

78
trust score
Avg Security Score
99/100
Avg Patch Time
160 days
View full developer profile
Detection Fingerprints

How We Detect Weather Atlas Widget

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/weather-atlas/admin/css/weather-atlas-admin.min.css/wp-content/plugins/weather-atlas/public/css/weather-atlas-public.min.css/wp-content/plugins/weather-atlas/public/font/weather-icons/weather-icons.min.css/wp-content/plugins/weather-atlas/admin/js/weather-atlas-admin.min.js/wp-content/plugins/weather-atlas/admin/js/wp-color-picker-alpha.min.js
Script Paths
/wp-content/plugins/weather-atlas/admin/js/weather-atlas-admin.min.js/wp-content/plugins/weather-atlas/admin/js/wp-color-picker-alpha.min.js
Version Parameters
weather-atlas-admin?ver=weather-atlas-public?ver=weather-icons?ver=wp-color-picker-alpha?ver=

HTML / DOM Fingerprints

CSS Classes
weather-atlas-admin-wrapweather-atlas-widget-settingsweather-atlas-location-formweather-atlas-location-listweather-atlas-widget-previewweather-atlas-forecast-widget
HTML Comments
<!-- admin menu hook --><!-- Settings page --><!-- Add New Location page --><!-- Settings page -->+1 more
Data Attributes
data-weather-atlas-locationdata-weather-atlas-api-keydata-weather-atlas-widget-id
JS Globals
WeatherAtlasAdminWeatherAtlasPublic
REST Endpoints
/wp-json/weather-atlas/v1/locations/wp-json/weather-atlas/v1/settings
Shortcode Output
[weather_atlas_widget][weather_atlas_forecast]
FAQ

Frequently Asked Questions about Weather Atlas Widget