WP-Safety

WP_Places Security & Risk Analysis

wordpress.org/plugins/wp-places

WP_Places populates up-to-the-minute information about almost any location or business. Display address, phone number, hours of operation, and website …

10 active installs v2.1.2 PHP + WP 4.0+ Updated Unknown
business-informationgoogle-placesgoogle-places-api-web-serviceslocation
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is WP_Places Safe to Use in 2026?

Generally Safe

Score 100/100

WP_Places has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs
Risk Assessment

The "wp-places" v2.1.2 plugin exhibits a generally strong security posture based on the provided static analysis. It has a limited attack surface, with all identified entry points (shortcodes) not explicitly noted as unprotected. The code also demonstrates good practices by using prepared statements for all SQL queries and properly escaping a high percentage of its output. The absence of dangerous functions, file operations, and recorded vulnerabilities is also a positive indicator. The limited number of external HTTP requests is also a good sign. However, the complete absence of nonce checks across all entry points, coupled with only two capability checks for all operations, presents a significant concern. This lack of robust authentication and authorization mechanisms for its shortcode functionality leaves it potentially vulnerable to unauthorized actions if an attacker can trigger these shortcodes. While the vulnerability history is clean, it's important to remember that a clean history doesn't guarantee future safety, especially when fundamental security controls like nonce checks are missing.

Key Concerns

  • Missing nonce checks on all entry points
  • Limited capability checks across entry points
  • Unescaped output (14% of total)
Vulnerabilities
None known

WP_Places Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

WP_Places Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
7
43 escaped
Nonce Checks
0
Capability Checks
2
File Operations
0
External Requests
6
Bundled Libraries
0

Output Escaping

86% escaped50 total outputs
Attack Surface

WP_Places Attack Surface

Entry Points3
Unprotected0

Shortcodes 3

[wp_places_search] includes\class-shortcodes.php:47
[wp_places] includes\class-shortcodes.php:48
[wpplacesmap] includes\map-shortcode.php:108
WordPress Hooks 25
filtermanage_posts_columnsincludes\class-admin.php:63
actionmanage_posts_custom_columnincludes\class-admin.php:64
filtermanage_pages_columnsincludes\class-admin.php:67
actionmanage_pages_custom_columnincludes\class-admin.php:68
filterthe_contentincludes\class-content.php:47
actionsave_postincludes\class-hours.php:76
actiondeleted_postincludes\class-hours.php:77
actionswitch_themeincludes\class-hours.php:78
actionwidgets_initincludes\class-hours.php:222
actionsave_postincludes\class-map.php:76
actiondeleted_postincludes\class-map.php:77
actionswitch_themeincludes\class-map.php:78
actionwidgets_initincludes\class-map.php:222
actioncmb2_initincludes\class-meta-boxes.php:51
actionadmin_headincludes\class-meta-boxes.php:52
actionadmin_enqueue_scriptsincludes\class-meta-boxes.php:53
actionadmin_noticesincludes\class-meta-boxes.php:55
actionadmin_initincludes\class-settings.php:90
actionadmin_menuincludes\class-settings.php:91
actioncmb2_admin_initincludes\class-settings.php:92
actionadmin_initWP_Places.php:221
actioninitWP_Places.php:222
actionall_admin_noticesWP_Places.php:281
actionadmin_initWP_Places.php:284
actionplugins_loadedWP_Places.php:426
Maintenance & Trust

WP_Places Maintenance & Trust

Maintenance Signals

WordPress version tested4.9.29
Last updatedUnknown
PHP min version
Downloads5K

Community Trust

Rating100/100
Number of ratings9
Active installs10
Alternatives

WP_Places Alternatives

Widgets for Google Reviews

Widgets for Google Reviews

wp-reviews-plugin-for-google

A
93

Embed Google reviews fast and easily into your WordPress site. Increase SEO, trust and sales using Google reviews.

900K 4 CVEs
SlimStat Analytics

SlimStat Analytics

wp-slimstat

A
88

The leading web analytics plugin for WordPress

80K 23 CVEs
IP2Location Country Blocker

IP2Location Country Blocker

ip2location-country-blocker

A
93

Blocks unwanted visitors from accessing your frontend (blog pages) or backend (admin area) by countries or proxy servers.

30K 9 CVEs
WP Google Review Slider

WP Google Review Slider

wp-google-places-review-slider

A
92

Display Google reviews on your site and even show user images! No address, no problem! Also works with Service Area Businesses and Products! Lightwei …

30K 6 CVEs
Geolocation IP Detection

Geolocation IP Detection

geoip-detect

A
99

Provides geographic information detected by an IP adress.

20K 1 CVE
Developer Profile

WP_Places Developer Profile

Gary Kovar

4 plugins · 40 total installs

86
trust score
Avg Security Score
89/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect WP_Places

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-places/includes/js/map-shortcode.js/wp-content/plugins/wp-places/includes/js/shortcodes.js/wp-content/plugins/wp-places/includes/css/shortcodes.css
Script Paths
/wp-content/plugins/wp-places/includes/js/map-shortcode.js/wp-content/plugins/wp-places/includes/js/shortcodes.js
Version Parameters
wp-places/includes/js/map-shortcode.js?ver=wp-places/includes/js/shortcodes.js?ver=wp-places/includes/css/shortcodes.css?ver=

HTML / DOM Fingerprints

CSS Classes
wp-places-map-canvaswp-places-directions-panelwp-places-info-window
Data Attributes
data-wpp-iddata-wpp-latdata-wpp-lngdata-wpp-zoom
JS Globals
wp_places_settingswp_places_map_shortcode_params
Shortcode Output
[wp_places_map[wp_places_directions
FAQ

Frequently Asked Questions about WP_Places