Does xLocate have any unpatched vulnerabilities?

No. All known vulnerabilities in xLocate have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is xLocate compatible with WordPress 4.9.29?

According to WordPress.org data, xLocate 1.0.1 has been tested up to WordPress 4.9.29. Check the plugin's changelog for the latest compatibility information.

Is xLocate compatible with PHP 5.6+?

xLocate requires PHP 5.6 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is xLocate updated?

xLocate was last updated on Unknown. Frequent updates are generally a positive security signal.

What is xLocate's security score?

xLocate has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

xLocate Security & Risk Analysis

wordpress.org/plugins/xlocate

A location listing plugin, built with flexibility in mind.

0 active installs v1.0.1 PHP 5.6+ WP 4.8+ Updated Unknown

codemanasgeolocationgoogle-mapshousesproperties

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is xLocate Safe to Use in 2026?

Generally Safe

Score 100/100

xLocate has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs

Risk Assessment

The plugin "xlocate" v1.0.1 demonstrates a generally good security posture with some notable exceptions. Its strengths lie in the complete absence of dangerous functions, file operations, and external HTTP requests. Furthermore, all SQL queries are properly prepared, and there are no recorded vulnerabilities in its history, suggesting a commitment to secure coding practices. The presence of nonce checks on all identified entry points is also a positive sign, mitigating certain common attack vectors.

However, the plugin presents a significant security concern due to the presence of two unprotected AJAX handlers. These handlers, being directly accessible without any authentication or capability checks, form a critical part of the attack surface. While taint analysis shows no immediate high-risk flows, the lack of protection on these entry points means an attacker could potentially trigger unintended actions or exploit logic flaws if they exist within these handlers. The 70% output escaping rate also indicates that a portion of the plugin's output might be vulnerable to cross-site scripting (XSS) attacks, although the specific severity isn't detailed.

Key Concerns

Unprotected AJAX handlers present
Output not properly escaped (30%)

Vulnerabilities

None known

xLocate Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 17, 2026

xLocate Code Analysis

Dangerous Functions

Raw SQL Queries

6 prepared

Unescaped Output

43 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared6 total queries

Output Escaping

70% escaped61 total outputs

Attack Surface

2 unprotected

xLocate Attack Surface

Entry Points4

Unprotected2

AJAX Handlers 2

authwp_ajax_get_xlocate_mapfrontend\classes\class-xlocate-search-handler.php:17

noprivwp_ajax_get_xlocate_mapfrontend\classes\class-xlocate-search-handler.php:18

Shortcodes 2

[xlocate_map] includes\shortcodes.php:7

[xlocate_search_form] includes\shortcodes.php:24

WordPress Hooks 23

actionload-post.phpadmin\classes\class-meta-box.php:10

actionload-post-new.phpadmin\classes\class-meta-box.php:11

actionadd_meta_boxesadmin\classes\class-meta-box.php:19

actionadmin_enqueue_scriptsadmin\classes\class-meta-box.php:20

filterxlocate_settings_tabs_arrayadmin\classes\class-xlocate-admin-general-settings.php:11

filterxlocate_settings_tabs_arrayadmin\classes\class-xlocate-admin-help-settings.php:10

actionadmin_menuadmin\classes\class-xlocate-admin-menus.php:9

actionadmin_enqueue_scriptsadmin\classes\class-xlocate-admin-menus.php:10

filterxlocate_settings_tabs_arrayadmin\classes\class-xlocate-admin-pages-settings.php:11

filterxlocate_settings_tabs_arrayadmin\classes\class-xlocate-admin-shortcodes-settings.php:10

filterxlocate_settings_tabs_arrayadmin\classes\class-xlocate-admin-skins-settings.php:11

actionplugins_loadedadmin\classes\class-xlocate-admin.php:29

actionsave_post_houseadmin\classes\class-xlocate-location.php:18

actiondelete_postadmin\classes\class-xlocate-location.php:19

actionplugins_loadedadmin\classes\class-xlocate-location.php:129

actionpre_get_postsfrontend\classes\class-xlocate-search-handler.php:19

filterposts_clausesfrontend\classes\class-xlocate-search-handler.php:45

actionplugins_loadedfrontend\classes\class-xlocate-search-handler.php:175

actioninitincludes\custom-post-type.php:10

actioninitincludes\custom-post-type.php:68

actioninitincludes\xlocate-init.php:13

actionadmin_enqueue_scriptsincludes\xlocate-init.php:15

actionplugins_loadedxlocate.php:49

Maintenance & Trust

xLocate Maintenance & Trust

Maintenance Signals

WordPress version tested4.9.29

Last updatedUnknown

PHP min version5.6

Downloads1K

Community Trust

Rating0/100

Number of ratings0

Active installs0

Alternatives

xLocate Alternatives

Track Geolocation Of Users Using Contact Form 7

track-geolocation-of-users-using-contact-form-7

100

Track Geolocation Of Users Using Contact Form 7 allows you to get geolocation information with their form submission.

800 1 CVE

Simple Fields Map extension

simple-fields-map-extension

Extension to Simple Fields that adds a field type for selecting a location on a Google Map.

100 No CVEs

Quick Maps

quick-maps

100

The easiest Google Maps integration for your Wordpress website [quick-maps]Orlando, Florida[/quick-maps] - No Google API required.

40 No CVEs

BuddyPress Maps

buddypress-maps

BuddyPress Maps is a component that allows to find and display location markers on a Google Map.

10 No CVEs

Fundify Geolocated Campaigns

fundify-geolocated-campaigns

100

This plugin enables you to show your Fundify Geolocated campagins on Google map with shortcode

10 No CVEs

Developer Profile

xLocate Developer Profile

CodeManas

15 plugins · 2K total installs

trust score

Avg Security Score

96/100

Avg Patch Time

9 days

View full developer profile

Detection Fingerprints

How We Detect xLocate

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/xlocate/assets/shared/font/fontello.eot/wp-content/plugins/xlocate/assets/shared/font/fontello.eot/wp-content/plugins/xlocate/assets/shared/font/fontello.woff2/wp-content/plugins/xlocate/assets/shared/font/fontello.woff/wp-content/plugins/xlocate/assets/shared/font/fontello.ttf/wp-content/plugins/xlocate/assets/shared/font/fontello.svg

Script Paths

/wp-content/plugins/xlocate/admin/js/map-meta.js/wp-content/plugins/xlocate/admin/js/geocomplete.js/wp-content/plugins/xlocate/admin/js/google-map.js

Version Parameters

xlocate/admin/js/map-meta.js?ver=xlocate/admin/js/geocomplete.js?ver=xlocate/admin/js/google-map.js?ver=

HTML / DOM Fingerprints

CSS Classes

search-location-wrappericon-location

Data Attributes

data-xlocate-latdata-xlocate-lngdata-xlocate-formatted-address

JS Globals

xlocate_init_map_metaxlocate_google_map_initxlocate_geocomplete_init

FAQ