WP-Safety

WP Store Locator Security & Risk Analysis

wordpress.org/plugins/wp-store-locator

An easy to use location management system that enables users to search for nearby physical stores.

50K active installs v2.3.0 PHP + WP 3.7+ Updated Mar 14, 2026
directionsgoogle-mapsmapsstore-finderstore-locator
96
A · Safe
CVEs total2
Unpatched0
Last CVEApr 22, 2026
Download
Safety Verdict

Is WP Store Locator Safe to Use in 2026?

Generally Safe

Score 96/100

WP Store Locator has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

2 known CVEsLast CVE: Apr 22, 2026Updated 2mo ago
Risk Assessment

The wp-store-locator plugin v2.3.0 presents a mixed security posture. On the positive side, a high percentage of SQL queries use prepared statements and output escaping is well-implemented, indicating good development practices for core functionalities. The absence of critical or high severity taint analysis findings and the lack of bundled libraries are also encouraging signs. However, the plugin has a notable attack surface with 11 entry points, of which 3 are AJAX handlers lacking authentication checks. This is a significant concern as it allows unauthenticated users to interact with potentially sensitive parts of the plugin. Furthermore, the plugin has a history of a high severity "Deserialization of Untrusted Data" vulnerability, even though it is currently patched. This historical pattern suggests a potential area of weakness that attackers might target again if not rigorously reviewed.

Overall, while the plugin demonstrates good practices in data handling and output sanitization, the presence of unprotected AJAX endpoints and the historical vulnerability in deserialization are key risks that require attention. The attack surface could be further hardened by implementing proper authentication and capability checks on all entry points.

Key Concerns

  • Unprotected AJAX handlers
  • High severity vulnerability in history
  • SQL queries not always prepared
Vulnerabilities
2 published

WP Store Locator Security Vulnerabilities

CVEs by Year

1 CVE in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

High
1
Medium
1

2 total CVEs

CVE-2026-3361medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Store Locator <= 2.2.261 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpsl_address' Post Meta

Apr 22, 2026 Patched in 2.3.0 (1d)
CVE-2025-52737high · 7.5Deserialization of Untrusted Data

Store Locator <= 2.2.260 - Authenticated (Contributor+) PHP Object Injection

Jul 31, 2025 Patched in 2.2.261 (97d)
Version History

WP Store Locator Release Timeline

v2.3.0Current
v2.2.2611 CVE
CVE-2026-3361
v2.2.2602 CVEs
CVE-2025-52737 CVE-2026-3361
v2.2.2532 CVEs
CVE-2025-52737 CVE-2026-3361
v2.2.2522 CVEs
CVE-2025-52737 CVE-2026-3361
v2.2.2512 CVEs
CVE-2025-52737 CVE-2026-3361
v2.2.2502 CVEs
CVE-2025-52737 CVE-2026-3361
v2.2.2412 CVEs
CVE-2025-52737 CVE-2026-3361
v2.2.2402 CVEs
CVE-2025-52737 CVE-2026-3361
v2.2.2372 CVEs
CVE-2025-52737 CVE-2026-3361
v2.2.2362 CVEs
CVE-2025-52737 CVE-2026-3361
v2.2.2352 CVEs
CVE-2025-52737 CVE-2026-3361
v2.2.2342 CVEs
CVE-2025-52737 CVE-2026-3361
v2.2.2332 CVEs
CVE-2025-52737 CVE-2026-3361
v2.2.2322 CVEs
CVE-2025-52737 CVE-2026-3361
v2.2.2312 CVEs
CVE-2025-52737 CVE-2026-3361
v2.2.232 CVEs
CVE-2025-52737 CVE-2026-3361
v2.2.222 CVEs
CVE-2025-52737 CVE-2026-3361
v2.2.212 CVEs
CVE-2025-52737 CVE-2026-3361
v2.2.202 CVEs
CVE-2025-52737 CVE-2026-3361
Code Analysis
Analyzed Mar 16, 2026

WP Store Locator Code Analysis

Dangerous Functions
0
Raw SQL Queries
5
8 prepared
Unescaped Output
45
462 escaped
Nonce Checks
9
Capability Checks
13
File Operations
1
External Requests
6
Bundled Libraries
0

SQL Query Safety

62% prepared13 total queries

Output Escaping

91% escaped507 total outputs
Data Flows · Security
3 unsanitized

Data Flow Analysis

7 flows3 with unsanitized paths
sanitize_settings (admin\class-settings.php:70)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
3 unprotected

WP Store Locator Attack Surface

Entry Points11
Unprotected3

AJAX Handlers 6

authwp_ajax_validate_server_keyadmin\class-admin.php:65
authwp_ajax_validate_server_keyadmin\class-settings.php:19
authwp_ajax_convert_cptadmin\upgrade.php:494
authwp_ajax_convert_cpt_countadmin\upgrade.php:495
authwp_ajax_store_searchfrontend\class-frontend.php:57
noprivwp_ajax_store_searchfrontend\class-frontend.php:58

REST API Routes 1

GET/wp-json/wpsl/v1/block-dataadmin\class-block.php:193

Shortcodes 4

[wpsl] frontend\class-frontend.php:64
[wpsl_address] frontend\class-frontend.php:65
[wpsl_hours] frontend\class-frontend.php:66
[wpsl_map] frontend\class-frontend.php:67
WordPress Hooks 61
actioninitadmin\class-admin.php:53
actionadmin_menuadmin\class-admin.php:54
actionadmin_initadmin\class-admin.php:55
actiondelete_postadmin\class-admin.php:56
actionwp_trash_postadmin\class-admin.php:57
actionuntrash_postadmin\class-admin.php:58
actionadmin_enqueue_scriptsadmin\class-admin.php:59
filterplugin_row_metaadmin\class-admin.php:60
filteradmin_footer_textadmin\class-admin.php:62
actionwp_loadedadmin\class-admin.php:63
actionadmin_noticesadmin\class-admin.php:157
actionadmin_print_footer_scriptsadmin\class-admin.php:501
actioninitadmin\class-block.php:24
actionrest_api_initadmin\class-block.php:25
filterblock_categories_alladmin\class-block.php:26
actionadmin_enqueue_scriptsadmin\class-exit-survey.php:25
actionadmin_footeradmin\class-exit-survey.php:26
actionadmin_initadmin\class-license-manager.php:38
actionadmin_initadmin\class-license-manager.php:39
filterwpsl_license_settingsadmin\class-license-manager.php:40
actionadd_meta_boxesadmin\class-metaboxes.php:23
actionsave_postadmin\class-metaboxes.php:24
actionpost_updated_messagesadmin\class-metaboxes.php:25
filterredirect_post_locationadmin\class-metaboxes.php:833
actionall_admin_noticesadmin\class-notices.php:31
actionadmin_initadmin\class-settings.php:20
actionadmin_initadmin\class-settings.php:21
actionmedia_buttonsadmin\class-shortcode-generator.php:24
actionadmin_initadmin\class-shortcode-generator.php:25
actionadmin_initadmin\data-export.php:4
filterpre_set_site_transient_update_pluginsadmin\EDD_SL_Plugin_Updater.php:78
filterplugins_apiadmin\EDD_SL_Plugin_Updater.php:79
actionafter_plugin_rowadmin\EDD_SL_Plugin_Updater.php:80
actionadmin_initadmin\EDD_SL_Plugin_Updater.php:81
actionin_plugin_update_message-wp-store-locator/wp-store-locator.phpadmin\upgrade.php:4
actionadmin_initadmin\upgrade.php:5
actionadmin_initadmin\upgrade.php:6
actionadmin_footeradmin\upgrade.php:490
actionadmin_enqueue_scriptsadmin\upgrade.php:493
actioninitfrontend\class-frontend.php:54
actionwp_enqueue_scriptsfrontend\class-frontend.php:59
actionwp_footerfrontend\class-frontend.php:60
filterthe_contentfrontend\class-frontend.php:62
filterborlabsCookie/contentBlocker/modify/content/wpstorelocatorinc\class-borlabs-cookie.php:22
filterborlabsCookie/bct/modify_content/wpstorelocatorinc\class-borlabs-cookie.php:24
actioninitinc\class-i18n.php:23
actioninitinc\class-post-types.php:19
actioninitinc\class-post-types.php:20
actioninitinc\class-post-types.php:21
actionmanage_wpsl_stores_posts_custom_columninc\class-post-types.php:22
filterenter_title_hereinc\class-post-types.php:24
filtermanage_edit-wpsl_stores_columnsinc\class-post-types.php:25
filtermanage_edit-wpsl_stores_sortable_columnsinc\class-post-types.php:26
filterrequestinc\class-post-types.php:27
filtersgo_javascript_combine_excludeinc\wpsl-exclude-optimization.php:33
filterautoptimize_filter_js_excludeinc\wpsl-exclude-optimization.php:57
filterlitespeed_optimize_js_excludesinc\wpsl-exclude-optimization.php:89
filterlitespeed_optm_gm_js_excinc\wpsl-exclude-optimization.php:90
filterrocket_exclude_defer_jsinc\wpsl-exclude-optimization.php:119
filterrocket_exclude_jsinc\wpsl-exclude-optimization.php:120
actioninitwp-store-locator.php:79
Maintenance & Trust

WP Store Locator Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 14, 2026
PHP min version
Downloads1.5M

Community Trust

Rating96/100
Number of ratings311
Active installs50K
Alternatives

WP Store Locator Alternatives

Store Locator WordPress

Store Locator WordPress

agile-store-locator

A
89

Agile Store Locator is a premium store finder plugin designed to offer you immediate access to all the best stores in your local area.

10K 8 CVEs
Store Locator for WordPress📍

Store Locator for WordPress📍

storelocator

A
100

Create a store locator for your website in minutes. Add all the store locations in google sheets and embed map on your website.

1K No CVEs
Store Locator

Store Locator

ascsoftw-store-locator

A
85

Ascsoftw Store Locator is a powerful plugin which lets your users Search the Nearest Stores and display them in highly customized Google Maps.

0 No CVEs
PTI Store Locator

PTI Store Locator

pti-store-locator

A
100

Display multiple store or branch locations on Google Maps with search, filters, and customizable info windows.

0 No CVEs
WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters

WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters

wp-google-map-plugin

A
88

WordPress map plugin for Google Maps, OpenStreetMap & Mapbox with store locator, filterable listings & custom markers.

60K 23 CVEs
Developer Profile

WP Store Locator Developer Profile

Tijmen Smit

1 plugin · 50K total installs

85
trust score
Avg Security Score
96/100
Avg Patch Time
49 days
View full developer profile
Detection Fingerprints

How We Detect WP Store Locator

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-store-locator/css/wpsl-frontend.css/wp-content/plugins/wp-store-locator/css/wpsl-admin.css/wp-content/plugins/wp-store-locator/js/wpsl-admin.js/wp-content/plugins/wp-store-locator/js/wpsl-frontend.js/wp-content/plugins/wp-store-locator/js/wpsl-map.js/wp-content/plugins/wp-store-locator/js/wpsl-shortcode-generator.js
Script Paths
/wp-content/plugins/wp-store-locator/js/wpsl-frontend.js/wp-content/plugins/wp-store-locator/js/wpsl-map.js
Version Parameters
/wp-content/plugins/wp-store-locator/css/wpsl-frontend.css?ver=/wp-content/plugins/wp-store-locator/css/wpsl-admin.css?ver=/wp-content/plugins/wp-store-locator/js/wpsl-admin.js?ver=/wp-content/plugins/wp-store-locator/js/wpsl-frontend.js?ver=/wp-content/plugins/wp-store-locator/js/wpsl-map.js?ver=/wp-content/plugins/wp-store-locator/js/wpsl-shortcode-generator.js?ver=

HTML / DOM Fingerprints

CSS Classes
wpsl-store-locatorwpsl-location-search-wrapwpsl-search-wrapwpsl-search-inputwpsl-search-buttonwpsl-stores-wrapwpsl-store-singlewpsl-store-name+19 more
HTML Comments
<!-- WP Store LocatorWP Store LocatorCopyright (C) 2013 Tijmen Smit - tijmen@wpstorelocator.coThis program is free software: you can redistribute it and/or modify+33 more
Data Attributes
data-wpsl-map-iddata-wpsl-marker-iddata-wpsl-latdata-wpsl-lngdata-wpsl-zoomdata-wpsl-map-type+6 more
JS Globals
wpsl_map_optionswpsl_map_markerswpsl_settingswpsl_i18n_stringsWPSLAdmin
REST Endpoints
/wp-json/wpsl/v1/stores/wp-json/wpsl/v1/store/wp-json/wpsl/v1/settings
Shortcode Output
[wpsl][wpsl_search][wpsl_results][wpsl_map]
FAQ

Frequently Asked Questions about WP Store Locator