WP Map Block – Gutenberg Map Block for Google Map and OpenStreet Map by aBlocks Security & Risk Analysis

The "wp-map-block" plugin v2.0.4 exhibits a mixed security posture. On the positive side, the code demonstrates strong practices in handling SQL queries (100% prepared statements), a high rate of output escaping (96%), and the absence of dangerous functions, file operations, and bundled libraries. The presence of nonce and capability checks, along with a low number of total flows analyzed with no high-severity taint issues, are also positive indicators. However, a significant concern arises from the presence of one unprotected AJAX handler, representing a direct entry point into the plugin's functionality without any authentication or authorization checks. This could potentially be exploited by unauthenticated users.

The vulnerability history reveals two previously disclosed medium-severity Cross-Site Scripting (XSS) vulnerabilities. While there are currently no unpatched CVEs, the past occurrence of XSS suggests a pattern where improper neutralization of input has been an issue. The most recent vulnerability was in 2025, which might imply a relatively recent but resolved security concern. The lack of critical or high-severity vulnerabilities in the history and code analysis is encouraging, but the unprotected AJAX handler and past XSS issues warrant careful consideration.

In conclusion, the plugin has commendable security practices in many areas, particularly concerning database interactions and output sanitization. Nevertheless, the unprotected AJAX endpoint is a notable weakness that could expose the plugin to attacks. The historical XSS vulnerabilities, though resolved, highlight the importance of continued vigilance in input validation. Organizations should monitor this plugin for future updates and potential new vulnerabilities.