WP-Safety

WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters Security & Risk Analysis

wordpress.org/plugins/wp-google-map-plugin

WordPress map plugin for Google Maps, OpenStreetMap & Mapbox with store locator, filterable listings & custom markers.

60K active installs v4.9.2 PHP 5.3+ WP 3.4+ Updated Mar 5, 2026
directorygoogle-mapsmapopenstreetmapstore-locator
88
A · Safe
CVEs total20
Unpatched0
Last CVEMar 10, 2026
Plugin page Download
Safety Verdict

Is WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters Safe to Use in 2026?

Generally Safe

Score 88/100

WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters has a strong security track record. Known vulnerabilities have been patched promptly.

20 known CVEsLast CVE: Mar 10, 2026Updated 29d ago
Risk Assessment

The "wp-google-map-plugin" v4.9.2 exhibits a mixed security posture. While it demonstrates good practices with a high percentage of prepared SQL statements and properly escaped output, there are significant concerns related to its attack surface and past vulnerability history. The presence of 10 AJAX handlers, with 2 lacking authentication checks, presents a direct entry point for potential exploitation. Furthermore, the taint analysis revealed one high-severity flow, indicating a potential for serious security issues if not properly handled. The plugin's history of 20 CVEs, particularly the high number of high and medium severity vulnerabilities, including path traversal, SQL injection, XSS, deserialization, and CSRF, suggests a recurring pattern of security weaknesses. While there are currently no unpatched CVEs, the historical prevalence of these critical vulnerability types warrants caution. The use of Select2, a bundled library, could also pose a risk if it's an outdated or vulnerable version. Overall, the plugin has some strengths in its code handling but is significantly undermined by its attack surface and historical susceptibility to severe vulnerabilities.

Key Concerns

  • AJAX handlers without auth checks
  • High severity taint flow
  • History of 9 high severity CVEs
  • History of 11 medium severity CVEs
  • Bundled library (Select2)
Vulnerabilities
20

WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters Security Vulnerabilities

CVEs by Year

5 CVEs in 2015
2015
1 CVE in 2016
2016
1 CVE in 2018
2018
2 CVEs in 2019
2019
1 CVE in 2020
2020
1 CVE in 2022
2022
2 CVEs in 2023
2023
1 CVE in 2024
2024
4 CVEs in 2025
2025
2 CVEs in 2026
2026
Patched Has unpatched

Severity Breakdown

High
9
Medium
11

20 total CVEs

CVE-2026-3222high · 7.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Maps <= 4.9.1 - Unauthenticated SQL Injection via 'location_id' Parameter

Mar 10, 2026 Patched in 4.9.2 (1d)
CVE-2025-12062high · 8.8Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

WP Maps <= 4.8.6 - Authenticated (Subscriber+) Limited Local File Inclusion

Feb 16, 2026 Patched in 4.8.7 (1d)
CVE-2025-67535medium · 6.6Deserialization of Untrusted Data

Maps <= 4.8.6 - Authenticated (Administrator+) PHP Object Injection

Nov 2, 2025 Patched in 4.8.7 (40d)
CVE-2025-3504medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Maps – Display Google Maps Perfectly with Ease <= 4.7.1 - Authenticated (Admin+) Stored Cross-Site Scripting

Apr 10, 2025 Patched in 4.7.2 (55d)
CVE-2025-3502medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Maps – Display Google Maps Perfectly with Ease <= 4.7.1 - Authenticated (Admin+) Stored Cross-Site Scripting

Apr 10, 2025 Patched in 4.7.2 (55d)
CVE-2025-3503medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Maps – Display Google Maps Perfectly with Ease <= 4.7.1 - Authenticated (Admin+) Stored Cross-Site Scripting

Apr 10, 2025 Patched in 4.7.2 (55d)
CVE-2024-2386high · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WordPress Plugin for Google Maps – WP MAPS <= 4.6.1 - Authenticated (Contributor+) SQL Injection

Jun 28, 2024 Patched in 4.6.2 (2d)
CVE-2023-28172medium · 5.4Cross-Site Request Forgery (CSRF)

WP Google Map Plugin <= 4.4.2 - Cross-Site Request Forgery via delete()

Mar 13, 2023 Patched in 4.4.3 (316d)
CVE-2023-23878medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP MAPS <= 4.3.9 - Authenticated (Editor+) Stored Cross-Site Scripting

Jan 20, 2023 Patched in 4.4.0 (368d)
CVE-2022-25600medium · 5.4Cross-Site Request Forgery (CSRF)

WP MAPS – Easiest & Most Advanced WordPress Plugin for Google Maps <= 4.2.3 - Cross-Site Request Forgery

Feb 22, 2022 Patched in 4.2.4 (699d)
CVE-2021-24130high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Google Map Plugin <= 4.1.4 - Authenticated SQL Injection via Orderby

Nov 25, 2020 Patched in 4.1.5 (1154d)
WF-4186fe8d-ca09-4b82-9500-7b16bd10b044-wp-google-map-pluginmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP MAPS – Easiest & Most Advanced WordPress Plugin for Google Maps <= 4.0.9 - Reflected Cross-Site Scripting

Sep 21, 2019 Patched in 4.1.0 (1585d)
WF-a5ba9285-9f41-44dd-83c7-e9c377d9de51-wp-google-map-pluginhigh · 8.8Deserialization of Untrusted Data

WP Google Map Plugin <= 4.0.9 - Cross-Site Request Forgery to PHP Object Injection

Sep 21, 2019 Patched in 4.1.0 (1585d)
CVE-2018-0577medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP MAPS – Easiest & Most Advanced WordPress Plugin for Google Maps < 4.0.4 - Cross-Site Scripting

Apr 27, 2018 Patched in 4.0.4 (2097d)
CVE-2016-10878medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Google Map Plugin <= 3.1.1 - Cross-Site Scripting

Jul 27, 2016 Patched in 3.1.2 (2736d)
CVE-2015-9309high · 8.8Cross-Site Request Forgery (CSRF)

WP Google Map Plugin < 2.3.10 - Cross-Site Request Forgery

Aug 21, 2015 Patched in 2.3.10 (3077d)
CVE-2015-9307high · 8.8Cross-Site Request Forgery (CSRF)

WP Google Map Plugin < 2.3.10 - Cross-Site Request Forgery

Aug 21, 2015 Patched in 2.3.10 (3077d)
CVE-2015-9308high · 8.8Cross-Site Request Forgery (CSRF)

WP Google Map Plugin < 2.3.10 - Cross-Site Request Forgery

Aug 21, 2015 Patched in 2.3.10 (3077d)
WF-01105d96-e181-4228-b785-074a4b49ce18-wp-google-map-pluginhigh · 7.1Cross-Site Request Forgery (CSRF)

WP Google Map Plugin < 3.0.0 - Cross-Site Request Forgery to Cross-Site Scripting

Aug 20, 2015 Patched in 3.0.0 (3078d)
CVE-2015-9305medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Google Map Plugin < 2.3.7 - Reflected Cross-Site Scripting

Apr 24, 2015 Patched in 2.3.7 (3196d)
Code Analysis
Analyzed Mar 16, 2026

WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters Code Analysis

Dangerous Functions
0
Raw SQL Queries
2
27 prepared
Unescaped Output
52
465 escaped
Nonce Checks
28
Capability Checks
7
File Operations
16
External Requests
5
Bundled Libraries
1

Bundled Libraries

Select2

SQL Query Safety

93% prepared29 total queries

Output Escaping

90% escaped517 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

16 flows2 with unsanitized paths
fc_communication (core\class.initiate-core.php:86)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters Attack Surface

Entry Points11
Unprotected2

AJAX Handlers 10

authwp_ajax_fc_communicationcore\class.initiate-core.php:25
authwp_ajax_check_products_updatescore\class.initiate-core.php:26
authwp_ajax_core_templatescore\class.initiate-core.php:28
authwp_ajax_wpgmp_ajax_callwp-google-map-plugin.php:76
authwp_ajax_wpdfenabledebugwp-google-map-plugin.php:93
noprivwp_ajax_wpdfenabledebugwp-google-map-plugin.php:94
authwp_ajax_wpgmp_temp_access_ajaxwp-google-map-plugin.php:95
noprivwp_ajax_wpgmp_temp_access_ajaxwp-google-map-plugin.php:96
authwp_ajax_wpgmp_submit_uninstall_reason_actionwp-google-map-plugin.php:104
noprivwp_ajax_wpgmp_submit_uninstall_reason_actionwp-google-map-plugin.php:105

Shortcodes 1

[put_wpgm] wp-google-map-plugin.php:82
WordPress Hooks 50
filterwpgmp_accept_cookiesclasses\wpgmp-check-cookies.php:5
filterwpgmp_before_containerclasses\wpgmp-check-cookies.php:81
filterwpgmp_container_css_classclasses\wpgmp-check-cookies.php:98
filterwpgmp_form_footer_htmlclasses\wpgmp-pro-feature-ui.php:18
filterwpgmp_field_group_labelclasses\wpgmp-pro-feature-ui.php:19
filterwpgmp_input_labelclasses\wpgmp-pro-feature-ui.php:20
filterwpgmp_input_field_submitclasses\wpgmp-pro-feature-ui.php:21
filterwpgmp_input_field_buttonclasses\wpgmp-pro-feature-ui.php:22
filterwpgmp_element_before_start_rowclasses\wpgmp-pro-feature-ui.php:23
filterwpgmp_template_directoryclasses\wpgmp-pro-feature-ui.php:24
actionadmin_enqueue_scriptscore\class.initiate-core.php:27
actionwpmapspro_check_notificationcore\class.notifications.php:13
filterwpgmp_integrations_listintegrations\class-wpgmp-integration-clarity.php:10
filterwpgmp_integration_nav_clarityintegrations\class-wpgmp-integration-clarity.php:11
actionwpgmp_render_integration_clarity_settingsintegrations\class-wpgmp-integration-clarity.php:12
actionwpgmp_render_integration_clarity_helpintegrations\class-wpgmp-integration-clarity.php:13
filterwpgmp_integrations_listintegrations\class-wpgmp-integration-ga4.php:12
filterwpgmp_integration_nav_ga4integrations\class-wpgmp-integration-ga4.php:13
actionwpgmp_render_integration_ga4_settingsintegrations\class-wpgmp-integration-ga4.php:14
actionwpgmp_render_integration_ga4_helpintegrations\class-wpgmp-integration-ga4.php:15
filterwpgmp_integrations_listintegrations\class-wpgmp-integration-meta.php:10
filterwpgmp_integration_nav_metapixelintegrations\class-wpgmp-integration-meta.php:11
actionwpgmp_render_integration_metapixel_settingsintegrations\class-wpgmp-integration-meta.php:12
actionwpgmp_render_integration_metapixel_helpintegrations\class-wpgmp-integration-meta.php:13
filterwpgmp_integrations_listintegrations\class-wpgmp-integration-zapier.php:10
filterwpgmp_integration_nav_zapierintegrations\class-wpgmp-integration-zapier.php:11
actionwpgmp_render_integration_zapier_settingsintegrations\class-wpgmp-integration-zapier.php:12
actionwpgmp_render_integration_zapier_helpintegrations\class-wpgmp-integration-zapier.php:13
actionwpmu_new_blogwp-google-map-plugin.php:67
filterwpmu_drop_tableswp-google-map-plugin.php:68
actioninitwp-google-map-plugin.php:71
actionplugins_loadedwp-google-map-plugin.php:72
actionplugins_loadedwp-google-map-plugin.php:73
actionwidgets_initwp-google-map-plugin.php:74
actionwp_enqueue_scriptswp-google-map-plugin.php:75
filtermedia_upload_tabswp-google-map-plugin.php:78
filterfc-dummy-placeholderswp-google-map-plugin.php:79
filterfc_tabular_action_capwp-google-map-plugin.php:80
actionadmin_headwp-google-map-plugin.php:86
actionadmin_menuwp-google-map-plugin.php:87
actionadmin_initwp-google-map-plugin.php:88
actionadmin_initwp-google-map-plugin.php:89
actionadmin_enqueue_scriptswp-google-map-plugin.php:90
actionmedia_upload_ell_insert_gmap_tabwp-google-map-plugin.php:91
actionmedia_upload_ell_insert_gmap_svg_tabwp-google-map-plugin.php:92
filterplugin_row_metawp-google-map-plugin.php:98
filterwpgmp_form_header_htmlwp-google-map-plugin.php:99
filterfc_manage_page_basic_querywp-google-map-plugin.php:100
filterfc_plugin_nav_menuwp-google-map-plugin.php:102
actionadmin_enqueue_scriptswp-google-map-plugin.php:106

Scheduled Events 1

wpmapspro_check_notification
Maintenance & Trust

WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 5, 2026
PHP min version5.3
Downloads3.6M

Community Trust

Rating86/100
Number of ratings121
Active installs60K
Alternatives

WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters Alternatives

Easy Map – Store Locator, Google Maps, OpenStreetMap, Leaflet Map

Easy Map – Store Locator, Google Maps, OpenStreetMap, Leaflet Map

easy-map

A
100

Create interactive maps with store locator, markers, drawings & multiple locations. Supports OpenStreetMap and Google Maps. No API key needed.

50 No CVEs
WP Store Locator

WP Store Locator

wp-store-locator

A
98

An easy to use location management system that enables users to search for nearby physical stores.

50K 1 CVE
MapPress Maps for WordPress

MapPress Maps for WordPress

mappress-google-maps-for-wordpress

A
94

MapPress is the easiest way to add unlimited interactive Google and Leaflet maps to WordPress.

30K 14 CVEs
Store Locator WordPress

Store Locator WordPress

agile-store-locator

A
89

Agile Store Locator is a premium store finder plugin designed to offer you immediate access to all the best stores in your local area.

10K 8 CVEs
Maps Plugin using Google Maps for WordPress – WP Google Map

Maps Plugin using Google Maps for WordPress – WP Google Map

gmap-embed

A
97

Google Map plugin for WordPress is very Simple, light-weight and Easy to use Google Custom Map with markers in Posts, Pages, Sidebar as shortcode.

10K 6 CVEs
Developer Profile

WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters Developer Profile

Flipper Code - WordPress Development Company

4 plugins · 63K total installs

73
trust score
Avg Security Score
91/100
Avg Patch Time
1250 days
View full developer profile
Detection Fingerprints

How We Detect WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-google-map-plugin/assets/css/frontend.css/wp-content/plugins/wp-google-map-plugin/assets/css/jquery.dataTables.min.css/wp-content/plugins/wp-google-map-plugin/assets/css/map.css/wp-content/plugins/wp-google-map-plugin/assets/css/owl.carousel.min.css/wp-content/plugins/wp-google-map-plugin/assets/css/responsive.css/wp-content/plugins/wp-google-map-plugin/assets/css/style.css/wp-content/plugins/wp-google-map-plugin/assets/js/admin-map.js/wp-content/plugins/wp-google-map-plugin/assets/js/admin-scripts.js+9 more
Script Paths
/wp-content/plugins/wp-google-map-plugin/assets/js/admin-scripts.js/wp-content/plugins/wp-google-map-plugin/assets/js/frontend.js/wp-content/plugins/wp-google-map-plugin/assets/js/google-maps-api.js/wp-content/plugins/wp-google-map-plugin/assets/js/wpgmp-scripts.js/wp-content/plugins/wp-google-map-plugin/assets/js/wpgmp-tinymce.js
Version Parameters
wp-google-map-plugin/assets/css/frontend.css?ver=wp-google-map-plugin/assets/css/map.css?ver=wp-google-map-plugin/assets/css/style.css?ver=wp-google-map-plugin/assets/js/frontend.js?ver=wp-google-map-plugin/assets/js/google-maps-api.js?ver=wp-google-map-plugin/assets/js/wpgmp-scripts.js?ver=

HTML / DOM Fingerprints

CSS Classes
wpgmp_map_canvaswpgmp_marker_info_windowwpgmp_map_markers_listwpgmp_map_wrapperwpgmp_marker_titlewpgmp_marker_addresswpgmp_marker_descriptionwpgmp_map_listing_title+8 more
HTML Comments
<!-- wp google map plugin --><!-- WPGoogleMaps --><!-- wp google map plugin --><!-- Developed by Flipper Code -->+2 more
Data Attributes
data-map-iddata-marker-iddata-latdata-lngdata-icondata-title+4 more
JS Globals
WPGMP_SettingsWPGMP_Admin_Mapwpgmp_map_admin_scriptsWPGMP_Frontend_Mapwpgmp_frontend_scriptswpgmp_tinymce_plugin
Shortcode Output
[put_wpgm]
FAQ

Frequently Asked Questions about WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters