Does StoryMap Plugin have any unpatched vulnerabilities?

Yes — StoryMap Plugin currently has 2 published unpatched vulnerabilities. We recommend switching to an alternative or applying any available workarounds.

Is StoryMap Plugin compatible with WordPress 6.7.5?

According to WordPress.org data, StoryMap Plugin 2.1 has been tested up to WordPress 6.7.5. Check the plugin's changelog for the latest compatibility information.

How often is StoryMap Plugin updated?

StoryMap Plugin was last updated on Sep 21, 2025. Frequent updates are generally a positive security signal.

What is StoryMap Plugin's security score?

StoryMap Plugin has a WP-Safety security score of 57/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

StoryMap Plugin: 2 Unpatched CVEs

Safety Verdict

Is StoryMap Plugin Safe to Use in 2026?

Use With Caution

Score 57/100

StoryMap Plugin has 2 unpatched vulnerabilities. Evaluate alternatives or apply available mitigations.

2 known CVEs 2 unpatched Last CVE: Sep 5, 2025Updated 7mo ago

Risk Assessment

The wp-storymap plugin, v2.1, presents a mixed security posture. On the positive side, it demonstrates good practices by avoiding dangerous functions, file operations, and external HTTP requests. The plugin also implements a reasonable number of nonce and capability checks. However, there are notable concerns regarding SQL query security and output escaping. A significant percentage of SQL queries are not prepared, and a substantial portion of output is not properly escaped. This suggests potential vulnerabilities to SQL injection and Cross-Site Scripting (XSS) if not handled with extreme care by the surrounding WordPress environment.

Taint analysis reveals a concerning number of flows with unsanitized paths, four of which are classified as high severity. This indicates that user-supplied data might be flowing through the application in ways that could be exploited. Coupled with the plugin's vulnerability history, which includes two unpatched medium severity CVEs related to XSS and CSRF, these findings point to a pattern of insecure input handling. The presence of unpatched vulnerabilities, especially given their type and severity, is a significant risk that requires immediate attention.

In conclusion, while wp-storymap exhibits some strengths in its code, the identified risks in SQL query preparation, output escaping, unsanitized taint flows, and most importantly, the existence of unpatched vulnerabilities, significantly detract from its overall security. Users should proceed with caution and ensure their environment is robust against potential exploits.

Key Concerns

Unpatched CVEs (2 medium)
High severity taint flows (4)
SQL queries not using prepared statements (56%)
Output not properly escaped (33%)

Vulnerabilities

2 published

StoryMap Plugin Security Vulnerabilities

CVEs by Year

2 CVEs in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

2

2 total CVEs

CVE-2025-58874medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

StoryMap <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 5, 2025Unpatched

CVE-2025-52797medium · 4.3Cross-Site Request Forgery (CSRF)

StoryMap <= 2.1 - Cross-Site Request Forgery

Aug 14, 2025Unpatched

Version History

StoryMap Plugin Release Timeline

v2.22 CVEs

CVE-2025-58874 CVE-2025-52797

v2.1Current2 CVEs

CVE-2025-58874 CVE-2025-52797

v2.02 CVEs

CVE-2025-58874 CVE-2025-52797

v1.42 CVEs

CVE-2025-58874 CVE-2025-52797

v1.3.32 CVEs

CVE-2025-58874 CVE-2025-52797

v1.3.22 CVEs

CVE-2025-58874 CVE-2025-52797

v1.3.12 CVEs

CVE-2025-58874 CVE-2025-52797

v1.32 CVEs

CVE-2025-58874 CVE-2025-52797

v1.2.22 CVEs

CVE-2025-58874 CVE-2025-52797

v1.2.12 CVEs

CVE-2025-58874 CVE-2025-52797

v1.22 CVEs

CVE-2025-58874 CVE-2025-52797

v1.12 CVEs

CVE-2025-58874 CVE-2025-52797

v1.02 CVEs

CVE-2025-58874 CVE-2025-52797

Code Analysis

Analyzed Mar 16, 2026

StoryMap Plugin Code Analysis

Dangerous Functions

0

Raw SQL Queries

20

16 prepared

Unescaped Output

50

100 escaped

Nonce Checks

6

Capability Checks

2

File Operations

0

External Requests

0

Bundled Libraries

0

SQL Query Safety

44% prepared36 total queries

Output Escaping

67% escaped150 total outputs

Data Flows · Security

8 unsanitized

Data Flow Analysis

16 flows8 with unsanitized paths

storymap_pro_my_stories_page_handler (my-stories.php:324)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

StoryMap Plugin Attack Surface

Entry Points2

Unprotected0

Shortcodes 2

[wp_storymap_pro] trunk\wp-storymap-pro.php:335

[wp_storymap_pro] wp-storymap-pro.php:335

WordPress Hooks 20

actionplugins_loadedmy-stories.php:89

actionplugins_loadedpoints-table.php:139

actionplugins_loadedtrunk\my-stories.php:89

actionplugins_loadedtrunk\points-table.php:139

actionadmin_enqueue_scriptstrunk\wp-storymap-pro.php:178

actionadmin_post_savetrunk\wp-storymap-pro.php:215

actionadmin_menutrunk\wp-storymap-pro.php:256

actionwp_enqueue_scripttrunk\wp-storymap-pro.php:352

actionwp_enqueue_scriptstrunk\wp-storymap-pro.php:392

actionwp_enqueue_scriptstrunk\wp-storymap-pro.php:438

actionwp_footertrunk\wp-storymap-pro.php:441

actionwp_enqueue_scriptstrunk\wp-storymap-pro.php:446

actionadmin_enqueue_scriptswp-storymap-pro.php:178

actionadmin_post_savewp-storymap-pro.php:215

actionadmin_menuwp-storymap-pro.php:256

actionwp_enqueue_scriptwp-storymap-pro.php:352

actionwp_enqueue_scriptswp-storymap-pro.php:392

actionwp_enqueue_scriptswp-storymap-pro.php:438

actionwp_footerwp-storymap-pro.php:441

actionwp_enqueue_scriptswp-storymap-pro.php:446

Maintenance & Trust

StoryMap Plugin Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5

Last updatedSep 21, 2025

PHP min version

Downloads4K

Community Trust

Rating100/100

Number of ratings1

Active installs60

Alternatives

StoryMap Plugin Alternatives

Nomad World Map

nomad-world-map

A

85

Create your own custom travel map. Link locations on the map to blog posts and share your travel plans.

700 No CVEs

CodePeople Post Map for Google Maps

codepeople-post-map

A

100

CodePeople Post Map lets you geotag posts and seamlessly integrate your blog with Google Maps for a smooth, location-aware experience.

3K 1 CVE

VenoMaps – OpenStreetMap & Privacy-Friendly Geo Maps

venomaps

A

100

Create beautiful, searchable maps with custom markers and routes. The simple, private alternative to Google Maps.

400 No CVEs

MW Google Maps

mw-google-maps

A

85

MW Google Maps adds google maps in your post easy.

100 No CVEs

WP Map Route Planner

wp-map-route-planner

C

64

Help you to locate specific and most direct route, such as WooCommerce order delivery routes or your's custom added route, it integrates a Route …

100 1 unpatched

Developer Profile

StoryMap Plugin Developer Profile

josepsitjar

1 plugin · 60 total installs

64

trust score

Avg Security Score

57/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect StoryMap Plugin

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-storymap/style.css/wp-content/plugins/wp-storymap/leaflet/leaflet.css/wp-content/plugins/wp-storymap/leaflet/leafletgeosearch.css/wp-content/plugins/wp-storymap/bootstrap/bootstrap-colorpalette.css/wp-content/plugins/wp-storymap/bootstrap/image-picker.css/wp-content/plugins/wp-storymap/font-awesome-picker/css/fontawesome-iconpicker.css

Script Paths

/wp-content/plugins/wp-storymap/media-lib-uploader.js/wp-content/plugins/wp-storymap/leaflet/leaflet.js/wp-content/plugins/wp-storymap/leaflet/bundle.min.js/wp-content/plugins/wp-storymap/leaflet/wp-storymap-coordinate-picker.js/wp-content/plugins/wp-storymap/bootstrap/bootstrap-colorpalette.js/wp-content/plugins/wp-storymap/bootstrap/image-picker.js+1 more

Version Parameters

wp-storymap/style.css?ver=wp-storymap/leaflet/leaflet.css?ver=wp-storymap/leaflet/leafletgeosearch.css?ver=wp-storymap/bootstrap/bootstrap-colorpalette.css?ver=wp-storymap/bootstrap/image-picker.css?ver=wp-storymap/font-awesome-picker/css/fontawesome-iconpicker.css?ver=wp-storymap/media-lib-uploader.js?ver=wp-storymap/leaflet/leaflet.js?ver=wp-storymap/leaflet/bundle.min.js?ver=wp-storymap/leaflet/wp-storymap-coordinate-picker.js?ver=wp-storymap/bootstrap/bootstrap-colorpalette.js?ver=wp-storymap/bootstrap/image-picker.js?ver=wp-storymap/font-awesome-picker/js/fontawesome-iconpicker.js?ver=

HTML / DOM Fingerprints

CSS Classes

leaflet-control-geosearchgeosearch-inputleaflet-control-geosearch-panel

HTML Comments

+17 more

Data Attributes

data-toggledata-targetdata-colordata-namedata-icondata-image+2 more

JS Globals

storymap_pro_optionsmap_coordinate_picker

FAQ

StoryMap Plugin Security & Risk Analysis

Is StoryMap Plugin Safe to Use in 2026?

Use With Caution

Key Concerns

StoryMap Plugin Security Vulnerabilities

CVEs by Year

Severity Breakdown

StoryMap Plugin Release Timeline

StoryMap Plugin Code Analysis

SQL Query Safety

Output Escaping

Data Flow Analysis

StoryMap Plugin Attack Surface

Shortcodes 2

StoryMap Plugin Maintenance & Trust

Maintenance Signals

Community Trust

StoryMap Plugin Alternatives

Nomad World Map

CodePeople Post Map for Google Maps

VenoMaps – OpenStreetMap & Privacy-Friendly Geo Maps

MW Google Maps

WP Map Route Planner

StoryMap Plugin Developer Profile

How We Detect StoryMap Plugin

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about StoryMap Plugin