Does Where have any unpatched vulnerabilities?

No. All known vulnerabilities in Where have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Where compatible with WordPress 5.8.13?

According to WordPress.org data, Where 1.0.1 has been tested up to WordPress 5.8.13. Check the plugin's changelog for the latest compatibility information.

Is Where compatible with PHP 5.6+?

Where requires PHP 5.6 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Where updated?

Where was last updated on Aug 26, 2021. Frequent updates are generally a positive security signal.

What is Where's security score?

Where has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Where Security & Risk Analysis

wordpress.org/plugins/where

A WordPress plugin to display your site's environment type in the admin bar.

0 active installs v1.0.1 PHP 5.6+ WP 5.2+ Updated Aug 26, 2021

admindev-toolsdevelopment-toolsenvironmentprofile

A · Safe

CVEs total0

Unpatched0

Last CVENever

Download

Safety Verdict

Is Where Safe to Use in 2026?

Generally Safe

Score 85/100

Where has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 4yr ago

Risk Assessment

The "where" plugin v1.0.1 exhibits a strong security posture based on the provided static analysis. The plugin impressively demonstrates adherence to best practices with no identified dangerous functions, all SQL queries utilizing prepared statements, and 100% of output properly escaped. Furthermore, the absence of file operations and external HTTP requests minimizes potential attack vectors. The plugin also boasts a clean vulnerability history with no known CVEs, suggesting a consistent commitment to security by its developers.

However, the analysis also reveals a potential area for improvement. The lack of any identified AJAX handlers, REST API routes, shortcodes, or cron events, while contributing to a minimal attack surface, could indicate a plugin with limited functionality or one that relies on external integration methods not captured in this analysis. The single capability check is positive, but the absence of explicit nonce checks on any entry points (though there are no entry points identified) is a minor concern. Overall, the plugin is currently very secure, but a deeper dive into its actual functionality and integration methods would be beneficial to confirm the lack of latent vulnerabilities.

Key Concerns

No identified nonce checks on entry points

Vulnerabilities

None known

Where Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 17, 2026

Where Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

0 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Attack Surface

Where Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 4

actioninitwhere.php:17

actionadmin_bar_menuwhere.php:24

actionadmin_enqueue_scriptswhere.php:25

actionwp_enqueue_scriptswhere.php:26

Maintenance & Trust

Where Maintenance & Trust

Maintenance Signals

WordPress version tested5.8.13

Last updatedAug 26, 2021

PHP min version5.6

Downloads3K

Community Trust

Rating100/100

Number of ratings1

Active installs0

Alternatives

Where Alternatives

Extra User Details

extra-user-details

Add extra fields to the user profile page, saved in WordPress' native way (in wp_usermeta).

1K 2 CVEs

Admin Tweaks

many-tips-together

100

Customize various aspects of WordPress backend. Create a clean and easier admin area for the users.

1K No CVEs

Contextual Adminbar Color

contextual-adminbar-color

100

Use custom admin bar colors and favicons to differentiate your environments (staging/prod)

500 1 CVE

Expire Passwords

expire-passwords

Require certain users to change their passwords on a regular basis.

500 No CVEs

BuddyPress Admin Only Profile Fields

buddypress-admin-only-profile-fields

Easily set the visibility of BuddyPress profile fields to hidden, allowing only admin users to edit and view them.

200 No CVEs

Developer Profile

Where Developer Profile

Brad Parbs

16 plugins · 3K total installs

trust score

Avg Security Score

88/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Where

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

CSS Classes

wp-admin-bar-where

FAQ