WP-Safety

wp-forecast Security & Risk Analysis

wordpress.org/plugins/wp-forecast

wp-forecast is a highly customizable plugin for wordpress, showing weather-data from open-meteo.com and/or openweathermap.com.

5K active installs v9.8 PHP + WP 6.0+ Updated Jan 11, 2026
forecastopen-meteoopenweathermapweatherwidget
99
A · Safe
CVEs total2
Unpatched0
Last CVEMar 28, 2024
Plugin page Download
Safety Verdict

Is wp-forecast Safe to Use in 2026?

Generally Safe

Score 99/100

wp-forecast has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Mar 28, 2024Updated 2mo ago
Risk Assessment

The "wp-forecast" plugin version 9.8 exhibits a mixed security posture. On the positive side, it demonstrates strong practices regarding SQL query sanitization, utilizing prepared statements for 100% of its queries. Furthermore, all identified entry points (AJAX handlers and shortcodes) appear to have some form of authentication or permission checks, and importantly, there are no known unpatched vulnerabilities at this time.

However, several concerning areas are highlighted by the static analysis. The presence of 10 flows with unsanitized paths is a significant red flag, even though they are not currently classified as critical or high severity. This indicates a potential for input manipulation that could lead to unintended behavior or vulnerabilities if not carefully handled. The fact that 75% of output is properly escaped is good, but the remaining 25% leaves room for potential Cross-Site Scripting (XSS) vulnerabilities, especially given the plugin's history of XSS-related CVEs.

The plugin's vulnerability history, with 2 medium severity CVEs, both related to Cross-site Scripting, and the most recent one being very recent, suggests a pattern of input sanitization weaknesses. While these are currently patched, it emphasizes the need for diligent and robust sanitization practices, particularly for user-supplied data processed via the identified unsanitized paths. The plugin has a decent attack surface but zero unprotected entry points, which is positive, but the 14 file operations and 18 external HTTP requests warrant careful review to ensure these do not introduce further risks.

Key Concerns

  • Unsanitized paths in taint analysis
  • 25% of outputs not properly escaped
  • History of 2 medium severity CVEs (XSS)
  • 14 file operations
  • 18 external HTTP requests
Vulnerabilities
2

wp-forecast Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2024-30429medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

wp-forecast <= 9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Mar 28, 2024 Patched in 9.3 (7d)
CVE-2022-35725medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

wp-forecast <= 7.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

Aug 25, 2022 Patched in 8.0 (516d)
Code Analysis
Analyzed Mar 16, 2026

wp-forecast Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
154
458 escaped
Nonce Checks
14
Capability Checks
0
File Operations
14
External Requests
18
Bundled Libraries
0

Output Escaping

75% escaped612 total outputs
Data Flows
10 unsanitized

Data Flow Analysis

12 flows10 with unsanitized paths
wpf_search_ajax (trunk\wp-forecast-admin.php:74)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

wp-forecast Attack Surface

Entry Points10
Unprotected0

AJAX Handlers 8

noprivwp_ajax_wpf_search_ajaxtrunk\wp-forecast-admin.php:62
authwp_ajax_wpf_search_ajaxtrunk\wp-forecast-admin.php:63
noprivwp_ajax_wpf_check_ajaxtrunk\wp-forecast-admin.php:64
authwp_ajax_wpf_check_ajaxtrunk\wp-forecast-admin.php:65
noprivwp_ajax_wpf_search_ajaxwp-forecast-admin.php:62
authwp_ajax_wpf_search_ajaxwp-forecast-admin.php:63
noprivwp_ajax_wpf_check_ajaxwp-forecast-admin.php:64
authwp_ajax_wpf_check_ajaxwp-forecast-admin.php:65

Shortcodes 2

[wpforecast] shortcodes.php:61
[wpforecast] trunk\shortcodes.php:61
WordPress Hooks 36
filterthe_postsclass-wpf-virtualpage.php:75
filterplugin_localeclass-wpfuvwidget.php:94
filterplugin_localeclass-wpfuvwidget.php:171
filterwidget_textshortcodes.php:62
filterthe_poststrunk\class-wpf-virtualpage.php:75
filterplugin_localetrunk\class-wpfuvwidget.php:94
filterplugin_localetrunk\class-wpfuvwidget.php:171
filterwidget_texttrunk\shortcodes.php:62
actionadmin_noticestrunk\wp-forecast-admin.php:68
filterplugin_localetrunk\wp-forecast-admin.php:89
filtersafe_style_csstrunk\wp-forecast.php:212
actioninittrunk\wp-forecast.php:417
actionadmin_inittrunk\wp-forecast.php:418
actionwp_enqueue_scriptstrunk\wp-forecast.php:421
actionwidgets_inittrunk\wp-forecast.php:436
actionwidgets_inittrunk\wp-forecast.php:437
actionwp_enqueue_scriptstrunk\wp-forecast.php:505
actionadmin_menutrunk\wp-forecast.php:530
actionplugins_loadedtrunk\wp-forecast.php:533
actioninittrunk\wp-forecast.php:536
filterupgrader_pre_installtrunk\wpf-autoupdate.php:89
filterupgrader_post_installtrunk\wpf-autoupdate.php:90
actionadmin_noticeswp-forecast-admin.php:68
filterplugin_localewp-forecast-admin.php:89
filtersafe_style_csswp-forecast.php:212
actioninitwp-forecast.php:417
actionadmin_initwp-forecast.php:418
actionwp_enqueue_scriptswp-forecast.php:421
actionwidgets_initwp-forecast.php:436
actionwidgets_initwp-forecast.php:437
actionwp_enqueue_scriptswp-forecast.php:505
actionadmin_menuwp-forecast.php:530
actionplugins_loadedwp-forecast.php:533
actioninitwp-forecast.php:536
filterupgrader_pre_installwpf-autoupdate.php:89
filterupgrader_post_installwpf-autoupdate.php:90
Maintenance & Trust

wp-forecast Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 11, 2026
PHP min version
Downloads426K

Community Trust

Rating82/100
Number of ratings24
Active installs5K
Alternatives

wp-forecast Alternatives

Weather Forecast Widget

Weather Forecast Widget

weather-forecast-widget

A
100

"Weather Forecast Widget" displays current weather and hourly/daily forecasts in a widget using a shortcode.

200 No CVEs
HD Weather Widget by The Waypoint

HD Weather Widget by The Waypoint

waypoint-hd-weather-widget

A
100

A beautiful HD weather widget with high-resolution 331dpi backgrounds, 5-day forecasts, and modern OpenWeatherMap integration.

10 No CVEs
Weather Atlas Widget

Weather Atlas Widget

weather-atlas

A
99

The Weather Widget with the Most Active Installations. Highly customizable, simple & beautiful. Detailed current weather, hourly & daily forecasts

9K 2 CVEs
Free Weather

Free Weather

free-weather

A
100

Add a free 6-day weather forecast widget to your site. Clean design, accurate data — perfect for blogs, news, or travel websites.

300 No CVEs
Australian Weather Widget – WillyWeather

Australian Weather Widget – WillyWeather

australian-weather-widget-willyweather

A
85

Australian weather widgets for Wordpress, with the latest data sourced from the Bureau of Meteorology (BoM). Custom designs to suit any website.

200 No CVEs
Developer Profile

wp-forecast Developer Profile

tuxlog

6 plugins · 6K total installs

78
trust score
Avg Security Score
98/100
Avg Patch Time
660 days
View full developer profile
Detection Fingerprints

How We Detect wp-forecast

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-forecast/wpf_update.js/wp-content/plugins/wp-forecast/wp-forecast-admin.js
Script Paths
/wp-content/plugins/wp-forecast/wpf_update.js/wp-content/plugins/wp-forecast/wp-forecast-admin.js
Version Parameters
wpf_update.js?ver=wp-forecast-admin.js?ver=

HTML / DOM Fingerprints

Data Attributes
data-wpf-widget-id
Shortcode Output
[wp-forecast[/wp-forecast]
FAQ

Frequently Asked Questions about wp-forecast