WP-Ultimate-Map Security & Risk Analysis

wordpress.org/plugins/wp-ultimate-map

Place a map on your wordpress website with custom markers , infowindows and Routes.

10 active installs v1.1 PHP + WP 1.0+ Updated May 21, 2016
draw-on-mapgeo-locationgoogle-mapmapsplacesroutes
63
C · Use Caution
CVEs total1
Unpatched1
Last CVEJun 8, 2026
Download
Safety Verdict

Is WP-Ultimate-Map Safe to Use in 2026?

Use With Caution

Score 63/100

WP-Ultimate-Map has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Jun 8, 2026Updated 10yr ago
Risk Assessment

The wp-ultimate-map plugin version 1.1 presents a mixed security posture. While it demonstrates good practices by avoiding dangerous functions, using prepared statements for SQL, and conducting capability checks on all identified entry points, there are significant concerns regarding output escaping and taint analysis. A high percentage of output is not properly escaped, potentially exposing users to Cross-Site Scripting (XSS) vulnerabilities. Furthermore, the taint analysis reveals a concerning number of flows with unsanitized paths, indicating a risk of insecure handling of user-supplied data, although no critical or high severity issues were flagged in this specific analysis. The plugin's clean vulnerability history is a positive indicator, suggesting a generally well-maintained codebase. However, the identified output escaping and taint flow issues warrant attention to prevent potential security incidents.

Key Concerns

  • Significant portion of output unescaped
  • Flows with unsanitized paths found
Vulnerabilities
1 published

WP-Ultimate-Map Security Vulnerabilities

CVEs by Year

1 CVE in 2026 · unpatched
2026
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2026-8907medium · 6.1Cross-Site Request Forgery (CSRF)

WP-Ultimate-Map <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'zoom-level' Parameter

Jun 8, 2026Unpatched
Version History

WP-Ultimate-Map Release Timeline

v1.1Current1 CVE
v1.01 CVE
Code Analysis
Analyzed Mar 16, 2026

WP-Ultimate-Map Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
42
5 escaped
Nonce Checks
2
Capability Checks
4
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

11% escaped47 total outputs
Data Flows · Security
4 unsanitized

Data Flow Analysis

5 flows4 with unsanitized paths
changePage (src\ajax.php:170)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

WP-Ultimate-Map Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[umap] src\shortcodes.php:9
WordPress Hooks 35
actionadmin_enqueue_scriptsadmin\class-admin.php:12
actionadmin_menuadmin\class-admin.php:13
actionadmin_initadmin\class-admin.php:14
actionload-post.phpadmin\post-types\place-marker.php:13
actionload-post-new.phpadmin\post-types\place-marker.php:14
actionadd_meta_boxesadmin\post-types\place-marker.php:26
actionsave_postadmin\post-types\place-marker.php:27
actionmarker_edit_form_fieldsadmin\post-types\place-marker.php:165
actionmarker_add_form_fieldsadmin\post-types\place-marker.php:167
actionedited_markeradmin\post-types\place-marker.php:169
actioncreate_markeradmin\post-types\place-marker.php:171
actionadmin_enqueue_scriptsadmin\post-types\place-marker.php:232
actionroute_by_edit_form_fieldsadmin\post-types\place-marker.php:241
actionroute_by_add_form_fieldsadmin\post-types\place-marker.php:243
actionedited_route_byadmin\post-types\place-marker.php:245
actioncreate_route_byadmin\post-types\place-marker.php:247
actionadmin_enqueue_scriptsadmin\post-types\place-marker.php:287
actionload-post.phpadmin\post-types\place-route.php:12
actionload-post-new.phpadmin\post-types\place-route.php:13
actionadd_meta_boxesadmin\post-types\place-route.php:25
actionsave_postadmin\post-types\place-route.php:26
actionroute_taxo_edit_form_fieldsadmin\post-types\place-route.php:231
actionroute_taxo_add_form_fieldsadmin\post-types\place-route.php:233
actionedited_route_taxoadmin\post-types\place-route.php:235
actioncreate_route_taxoadmin\post-types\place-route.php:237
actionadmin_enqueue_scriptsadmin\post-types\place-route.php:277
actioninitsrc\CPT.php:175
actioninitsrc\CPT.php:178
actioninitsrc\CPT.php:181
actionrestrict_manage_postssrc\CPT.php:190
filterpost_updated_messagessrc\CPT.php:193
filterbulk_post_updated_messagessrc\CPT.php:194
actionload-edit.phpsrc\CPT.php:898
filterrequestsrc\CPT.php:934
actionwp_enqueue_scriptssrc\shortcodes.php:10
Maintenance & Trust

WP-Ultimate-Map Maintenance & Trust

Maintenance Signals

WordPress version tested4.3.34
Last updatedMay 21, 2016
PHP min version
Downloads2K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Developer Profile

WP-Ultimate-Map Developer Profile

rahulbhangale

5 plugins · 30 total installs

68
trust score
Avg Security Score
63/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect WP-Ultimate-Map

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-ultimate-map/admin/css/admin.css/wp-content/plugins/wp-ultimate-map/admin/js/admin.js/wp-content/plugins/wp-ultimate-map/js/scripts.js/wp-content/plugins/wp-ultimate-map/css/main.css
Script Paths
https://maps.googleapis.com/maps/api/js?libraries=places&callback=initMaphttps://maps.googleapis.com/maps/api/js?libraries=places&callback=mapLocation

HTML / DOM Fingerprints

CSS Classes
setting-containercontrols
Data Attributes
id="pac-input"id="place"id="focus-lat"id="focus-lng"id="zoom-level"
JS Globals
var map;var markers = [];function initMap()function placeMarkerWithId(initLatLng , map , id)function clearMarkers()function place_search(map)+2 more
Shortcode Output
[umap]
FAQ

Frequently Asked Questions about WP-Ultimate-Map