Does XMap have any unpatched vulnerabilities?

No. All known vulnerabilities in XMap have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is XMap compatible with WordPress 4.5.33?

According to WordPress.org data, XMap 1.3 has been tested up to WordPress 4.5.33. Check the plugin's changelog for the latest compatibility information.

How often is XMap updated?

XMap was last updated on Dec 20, 2015. Frequent updates are generally a positive security signal.

What is XMap's security score?

XMap has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

XMap Security & Risk Analysis

wordpress.org/plugins/xmap

XMap lets you embed maptoolkit maps (like www.bikemap.net) into your WordPress blog.

30 active installs v1.3 PHP + WP 3.0+ Updated Dec 20, 2015

google-mapsmapmappingmaptoolkitopenstreetmap

A · Safe

CVEs total0

Unpatched0

Last CVENever

Download

Safety Verdict

Is XMap Safe to Use in 2026?

Generally Safe

Score 85/100

XMap has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 10yr ago

Risk Assessment

The xmap plugin v1.3 exhibits a seemingly strong security posture based on the static analysis, with no identified dangerous functions, SQL queries using prepared statements, file operations, external requests, or taint flows of concern. The plugin also has no recorded vulnerability history, suggesting a clean track record. However, the complete absence of nonce checks and capability checks, combined with a significant percentage of output not being properly escaped, presents a notable concern. While the attack surface is limited to shortcodes, the lack of security measures on these entry points, particularly the unescaped output, could potentially lead to cross-site scripting (XSS) vulnerabilities if user-supplied data is not handled carefully within the shortcode's rendering process.

Despite the positive indicators of secure coding practices in certain areas, the lack of robust input validation and output sanitization on its entry points is a weakness. The vulnerability history is a positive sign, but it doesn't negate the inherent risks posed by the identified code signals. Overall, while the plugin appears free from severe known issues, the unescaped output represents a potential attack vector that requires attention for a truly secure implementation.

Key Concerns

Output not properly escaped
Missing nonce checks
Missing capability checks

Vulnerabilities

None known

XMap Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

XMap Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

0 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

0% escaped4 total outputs

Attack Surface

XMap Attack Surface

Entry Points5

Unprotected0

Shortcodes 5

[bikemap] includes\shortcodes.php:3

[runmap] includes\shortcodes.php:4

[wandermap] includes\shortcodes.php:5

[mopedmap] includes\shortcodes.php:6

[inlinemap] includes\shortcodes.php:7

WordPress Hooks 2

actionadmin_menuxmap.php:39

actionadmin_initxmap.php:40

Maintenance & Trust

XMap Maintenance & Trust

Maintenance Signals

WordPress version tested4.5.33

Last updatedDec 20, 2015

PHP min version

Downloads3K

Community Trust

Rating0/100

Number of ratings0

Active installs30

Alternatives

XMap Alternatives

WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters

wp-google-map-plugin

WordPress map plugin for Google Maps, OpenStreetMap & Mapbox with store locator, filterable listings & custom markers.

60K 20 CVEs

Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps)

leaflet-maps-marker

The most comprehensive & user-friendly mapping solution for WordPress

10K 6 CVEs

Geo Mashup

geo-mashup

Include Google and OpenStreetMap maps in posts and pages, and map posts, pages, and other objects on global maps. Make WordPress into a GeoCMS.

2K 6 CVEs

Out of the Block: OpenStreetMap

ootb-openstreetmap

A map block for Gutenberg using OpenStreetMap and Leaflet that needs no API keys and works out of the box. Or should we say, ...Out of the Block?

800 1 CVE

MapifyLite (by MapifyPro)

mapifylite

100

MapifyLite is an elite plugin for WordPress that implements fully-customized maps on your site.

300 1 CVE

Developer Profile

XMap Developer Profile

parelius

2 plugins · 40 total installs

trust score

Avg Security Score

85/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect XMap

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

CSS Classes

xmap

Shortcode Output

<div class="xmap"<iframe src="http://border="0" frameborder="0" marginheight="0" marginwidth="0" scrolling="no"></iframe>

FAQ