Does WP Geo have any unpatched vulnerabilities?

Yes — WP Geo currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is WP Geo compatible with WordPress 5.4.19?

According to WordPress.org data, WP Geo 3.5.1 has been tested up to WordPress 5.4.19. Check the plugin's changelog for the latest compatibility information.

How often is WP Geo updated?

WP Geo was last updated on Apr 16, 2020. Frequent updates are generally a positive security signal.

What is WP Geo's security score?

WP Geo has a WP-Safety security score of 63/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP Geo Security & Risk Analysis

wordpress.org/plugins/wp-geo

Adds location maps to your posts, pages and custom post types.

1K active installs v3.5.1 PHP + WP 4.3+ Updated Apr 16, 2020

geogeocodinggooglemapmaps

C · Use Caution

CVEs total1

Unpatched1

Last CVESep 28, 2025

Plugin page Download

Safety Verdict

Is WP Geo Safe to Use in 2026?

Use With Caution

Score 63/100

WP Geo has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Sep 28, 2025Updated 5yr ago

Risk Assessment

The wp-geo plugin version 3.5.1 exhibits a mixed security posture. While the static analysis shows a relatively low attack surface with all identified entry points protected by at least a capability check, there are significant concerns regarding code quality and past vulnerabilities. The analysis reveals that 52% of output is not properly escaped, which is a substantial weakness that could lead to Cross-Site Scripting (XSS) vulnerabilities if malicious input is not handled correctly by the limited number of capability checks. Furthermore, the presence of raw SQL queries without prepared statements is a risk that could be exploited for SQL injection. The plugin's history of known vulnerabilities, including a medium-severity Cross-Site Scripting (XSS) issue that is currently unpatched, is a major red flag, indicating a pattern of insecure coding practices that haven't been fully addressed. The last vulnerability occurring in September 2025 is particularly concerning as it suggests a recent and potentially ongoing security weakness. Although the plugin has no critical taint flows and a limited number of file operations, the combination of unescaped output, raw SQL, and an unpatched medium-severity vulnerability necessitates caution.

Key Concerns

Unpatched medium severity CVE
High percentage of unescaped output
SQL queries without prepared statements

Vulnerabilities

WP Geo Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-62904medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Geo <= 3.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 28, 2025Unpatched

Code Analysis

Analyzed Mar 16, 2026

WP Geo Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

80 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

TinyMCE

SQL Query Safety

0% prepared1 total queries

Output Escaping

48% escaped167 total outputs

Attack Surface

WP Geo Attack Surface

Entry Points9

Unprotected0

Shortcodes 9

[wpgeo_latitude] includes\shortcodes.php:16

[wpgeo_longitude] includes\shortcodes.php:32

[wpgeo_title] includes\shortcodes.php:53

[wpgeo_map_link] includes\shortcodes.php:79

[wpgeo_static_map] includes\shortcodes.php:107

[wpgeo_map] includes\shortcodes.php:155

[wp_geo_map] includes\shortcodes.php:158

[wpgeo_mashup] includes\shortcodes.php:199

[wpgeo] includes\shortcodes.php:235

WordPress Hooks 63

actionadmin_initadmin\admin.php:14

actionadmin_headadmin\admin.php:15

actionadmin_menuadmin\admin.php:16

actionadmin_menuadmin\admin.php:17

actionedit_attachmentadmin\admin.php:18

actionsave_postadmin\admin.php:19

actionadmin_noticesadmin\admin.php:20

filterplugin_row_metaadmin\admin.php:21

actionafter_plugin_rowadmin\admin.php:22

actionadmin_enqueue_scriptsadmin\admin.php:23

actionadmin_enqueue_scriptsadmin\admin.php:40

actionwp_dashboard_setupadmin\dashboard.php:15

filterwp_dashboard_widgetsadmin\dashboard.php:16

filtermce_buttonsadmin\editor.php:27

filtermce_external_pluginsadmin\editor.php:28

filterplugin_action_linksadmin\settings.php:345

actionwpgeo_register_scriptsapi\googlemapsv2\googlemapsv2.php:12

actionwpgeo_enqueue_scriptsapi\googlemapsv2\googlemapsv2.php:13

filterwpgeo_api_stringapi\googlemapsv2\googlemapsv2.php:14

actionwpgeo_api_googlemapsv2_jsapi\googlemapsv2\googlemapsv2.php:15

filterwpgeo_api_googlemapsv2_markericonapi\googlemapsv2\googlemapsv2.php:16

actionwpgeo_widget_form_fieldsapi\googlemapsv2\googlemapsv2.php:17

actionwpgeo_register_scriptsapi\googlemapsv3\googlemapsv3.php:12

actionwpgeo_enqueue_scriptsapi\googlemapsv3\googlemapsv3.php:13

filterwpgeo_api_stringapi\googlemapsv3\googlemapsv3.php:14

filterwpgeo_decode_api_stringapi\googlemapsv3\googlemapsv3.php:15

actionwpgeo_api_googlemapsv3_jsapi\googlemapsv3\googlemapsv3.php:16

filterwpgeo_api_googlemapsv3_markericonapi\googlemapsv3\googlemapsv3.php:17

filterwpgeo_check_google_api_keyapi\googlemapsv3\googlemapsv3.php:18

actioninitincludes\feeds.php:12

filterfeed_content_typeincludes\feeds.php:22

filterpost_limitsincludes\feeds.php:23

actionrss2_nsincludes\feeds.php:71

actionatom_nsincludes\feeds.php:72

actionrdf_nsincludes\feeds.php:73

actionrss_itemincludes\feeds.php:74

actionrss2_itemincludes\feeds.php:75

actionatom_entryincludes\feeds.php:76

actionrdf_itemincludes\feeds.php:77

filterpost_limitsincludes\query.php:13

filterposts_joinincludes\query.php:14

filterposts_whereincludes\query.php:15

actionplugins_loadedincludes\wp-geo.php:47

actioninitincludes\wp-geo.php:48

actioninitincludes\wp-geo.php:49

actionwp_enqueue_scriptsincludes\wp-geo.php:50

actionwp_headincludes\wp-geo.php:51

actionwp_headincludes\wp-geo.php:52

actionwp_footerincludes\wp-geo.php:53

actionadmin_footerincludes\wp-geo.php:54

filterthe_contentincludes\wp-geo.php:57

filterget_the_excerptincludes\wp-geo.php:58

filteroption_wp_geo_optionsincludes\wp-geo.php:59

filterclean_urlincludes\wp-geo.php:60

filterposts_joinincludes\wp-geo.php:938

filterposts_groupbyincludes\wp-geo.php:939

actionwidgets_initwidgets\category-map.php:93

actionwidgets_initwidgets\contextual-map.php:80

actionwpgeo_widget_form_fieldswidgets\recent-locations.php:25

actionwpgeo_widget_form_fieldswidgets\recent-locations.php:26

actionwidgets_initwidgets\recent-locations.php:130

actionwpgeo_widget_form_fieldswidgets\wpgeo-widget.php:14

actionwpgeo_widget_form_fieldswidgets\wpgeo-widget.php:15

Maintenance & Trust

WP Geo Maintenance & Trust

Maintenance Signals

WordPress version tested5.4.19

Last updatedApr 16, 2020

PHP min version

Downloads108K

Community Trust

Rating96/100

Number of ratings17

Active installs1K

Alternatives

WP Geo Alternatives

Basic Google Maps Placemarks

basic-google-maps-placemarks

Embeds a Google Map into your site and lets you add map markers with custom icons and information windows.

3K No CVEs

Geo Mashup

geo-mashup

Include Google and OpenStreetMap maps in posts and pages, and map posts, pages, and other objects on global maps. Make WordPress into a GeoCMS.

2K 6 CVEs

Pronamic Google Maps

pronamic-google-maps

This plugin makes it easy to add Google Maps to your WordPress post, pages or other custom post types.

1K 2 CVEs

Track Geolocation Of Users Using Contact Form 7

track-geolocation-of-users-using-contact-form-7

100

Track Geolocation Of Users Using Contact Form 7 allows you to get geolocation information with their form submission.

800 1 CVE

Map My Posts

map-my-posts

Map My Posts allows you to display a Google Map or Geochart visualization, associating map locations with your existing categories or tags.

200 No CVEs

Developer Profile

WP Geo Developer Profile

Ben Huson

16 plugins · 21K total installs

trust score

Avg Security Score

86/100

Avg Patch Time

2 days

View full developer profile

Detection Fingerprints

How We Detect WP Geo

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-geo/css/wp-geo.css

Version Parameters

wp-geo/css/wp-geo.css?ver=

HTML / DOM Fingerprints

FAQ