Free v3.12.2 with compatibility & security fixes is available

Posted on 18 October, 2018


Free-Version Releases
Attention: this is not the changelog for the latest stable version 4.29 (see related release notes)

With v3.12.2 we added some optimizations and fixed several bugs.

For even more features and optimizations (see the comparision page), please use the integrated pro upgrader to start a free 30-day-trial of Maps Marker Pro.

Maps Marker Pro v4.0 has also been released today and features a complete object-oriented rewrite of the codebase. While this process took quite a few months to complete, the long-term benefits are absolutely worth it. Not only does the new code dramatically decrease load times and enhance security, but it also makes it much easier for us to fix bugs or implement new features.

  • complete rewrite / refactorization of the code base from procedural to object oriented
  • separation of JavaScript from PHP to allow for caching and significantly increase page loading speed
  • decreased download size for marker data, allowing for up to 75% faster map loading
  • support for gpx elevation charts and waypoints
  • advanced customisation for maps: settings are now saved on a map basis instead of globally
  • improved performance by reducing the number of database queries needed and the use of caches where possible
  • optimized CSS & JS loading mechanism resulting in load time reduction of up to 20%
  • support for HERE basemaps
  • option to add a link instead of a popup for markers
  • Leaflet.GestureHandling support (prevents users from getting trapped on the map when scrolling a long page)
  • (retired) Wikitude augmented reality API has been replaced with API
  • optimized permission system with Maps Marker Pro capabilities for better access control (attention: by default only admins have access!)
  • separate settings to show address, coordinates (new) and directions of markers in popup
  • support for bing canvas dark, canvas light and canvays grey basemaps (disabled by default)
  • option to set maximum boundaries for maps to limit panning (button “Restrict to current view”)
  • support for condensed attribution
  • options to change positions of all available control boxes
  • add Yoast SEO sitemap integration
  • upgraded leaflet.js (“the engine of Maps Marker Pro”) from v1.0.3 to v1.3.4 including optimizations and bugfixes
  • options to display the list of markers right or left to a layer map
  • fractional zoom support (new interaction options: zoomDelta and zoomSnap)
  • possibility to override global settings for each map by using new shortcode parameters
  • batch selection buttons (all/none) for layers in filter controlbox
  • support for minNativeZoom for mapbox and custom basemaps (tiles on all zoom levels lower than minimum zoom level will be loaded from
  • minNativeZoom level and auto-scaled)
  • increased rate limit for Photon@MapsMarker geocoding from 5.000 to 10.000 requests per day and from 10 to 20 requests per second (free version:
  • 1.000/day and 5/sec)
  • options to change position of zoom and basemap control box
  • batch selection buttons for layers in filter controlbox

An update to the latest version is – as always – highly recommended.

Let me know what you think about this new release by submitting a review!

If you want to keep up to date with the latest Maps Marker development, please follow @MapsMarker on twitter (= most current updates), on FacebookGoogle+ or subscribe to news via RSS or via RSS/email.

We would also like to invite you to join our affiliate program which offers commissions up to 50%. If you are interested in becoming a reseller, please visit

Now let´s get to the changes of free v3.12.1:

Changes and optimizations

  • Photon@Mapsmarker: show streetnames+housenumbers for geocoding results if available
  • load map tiles for OSM Black&White and DE variant via https to prevent mixed-content warnings (thx Annette!)
  • do not strip input tags from popuptexts if option “HTML filter for popuptexts (wp_kses)” is enabled
  • updated compatibility check for WP Rocket 2.10.x
  • added HTML tag source with attributes type and src to wp_kses() whitelist for video shortcode parsing (marker maps only)
  • removed MapQuest basemap support (due to MapQuest basemaps now requiring their own API, making them incompatible to be implemented into a standard Leaflet installation; existing MapQuest maps will be switched to OpenStreetMap automatically)
  • removed settings for (depreciated) mobile web app launch images
  • double quotes in popuptexts broke marker maps on frontend if HTML filter for popuptexts (wp_kses) was enabled


  • replaced broken WMS layers 3 & 8 from European Environment Agency with “Lake bathing water monitoring” and “NOx emissions from road transport”
  • incompatibility with Apache v2.4 and htaccess/allow from all (thx stafmans!)

Security fixes

Since the start of our security bug bounty program on May 19th we have received several vulnerability reports – due to our attention on secure coding and 3 penetration tests in the last 4 years no severe or critical issues were found though. All but the first issue from the list below could only have been exploited by users with backend access – and in most cases with admin users only.

Some additional thoughts why those vulnerabilities were not detected by us so far, although we are doing regular security checks: the attack vector of an admin who e.g. inject malicious code into Leaflet Maps Marker settings was not completely covered by us so far, as such an attacker would have had direct access to theme or plugin files – making it much easier to e.g. inject malicious code or change database tables directly than to use Leaflet Maps Marker for Cross site scripting.

Nevertheless although the exploitability of the reported vulnerabilities is low, we take those reports seriously and fixed all of them respectively hardened our entire codebase to prevent future similar vulnerabilities.

Outlook – plans for the next release

Please subscribe to this blog (via RSS or Email) or follow @MapsMarker on twitter (= most current updates) if you want to stay up to date with the latest development news.

Full changelog

compatibility check for “WP Super Cache” debug output which can cause layer maps to break
compatibility check for Admin Custom Login which causes the navigation on the settings page to break
compatibility check for Fast Velocity Minify plugin
option “HTML filter for popuptexts” to prevent injection of malicious code – enabled by default (thx jackl via hackerone)
compatibility check for theme Divi 3+ which can cause maps to break if option “Where to include Javascript files?” is set to footer
Looking for developers to recommend to our clients for customizations – more details at
Autoptimize plugin compatibility check: also verify if option “Also aggregate inline JS?” is set (which is causing maps to break)
use wp_kses() instead of strip_tags() for recent marker widget to support selected HTML elements
only dequeue Google Maps API scripts added by other plugins instead of deregistering them if related option is enabled (as this could break dependend scripts & plugins like WP GPX maps)
prevent duplicate markers when exporting markers from multi-layer-maps to KML, GeoRSS & Wikitude (thx Eric & Thorsten!)
fix PHP APC cache detection for importer
XLS export for marker and layer maps was broken if PHP 7.1+ is used
markers and layers could not be saved on iOS devices due to a bug in Safari´s datetime-local implementation (thx Natalia!)
window width on marker and layer edit pages could not be fully utilized on iOS devices (thx Natalia!)
list of markers was not fully responsive if images larger than 440px in popuptexts were used (thx Georges!)
Low impact: XSS vulnerabilities on marker & layer edit pages (thx to victemz & 0xnop via hackerone)
Low impact: command injection vulnerability in marker & layer export files (thx to kiranreddy via hackerone)
Low impact: stored XSS vulnerability for createdby and updatedby fields on backend
Low impact: stored XSS vulnerability on tools page only if Webapi is enabled (thx whitesector via hackerone)
Low impact: stored XSS vulnerability for custom default marker icon (thx whitesector via hackerone)
Low impact: stored XSS vulnerability for QR code image size (only if Google is set as default QR code provider – thx whitesector via hackerone)
updated Catalan translation thanks to Efraim Bayarri, Vicent Cubells, and Marta Espinalt,
updated Chinese translation thanks to John Shen, and ck
updated German translation
updated Indonesian translation thanks to Andy Aditya Sastrawikarta and Emir Hartato, and Phibu Reza,
updated Italian translation thanks to Luca Barbetti, and Angelo Giammarresi –
updated Japanese translations thanks to Shu Higash and Taisuke Shimamoto
updated Lithuanian translation thanks to Donatas Liaudaitis – and Ovidijus –
updated Russian translation thanks to Ekaterina Golubina (supported by Teplitsa of Social Technologies – and Vyacheslav Strenadko,
updated Spanish translation thanks to David Ramí­rez,, Alvaro Lara,, Victor Guevara,, Ricardo Viteri,, Juan Valdes and Marta Espinalt,
updated Swedish translation thanks to Olof Odier, Tedy Warsitha, Dan Paulsson, Elger Lindgren,, Anton Andreasson, and Tony Lygnersjö –

show all available changelogs

How to download / update

The easiest way to update is to use the WordPress update process: login with an user who has admin privileges, navigate to Dashboard / Updates, select plugins to update and press the button “Update Plugins”. Alternatively you can also download the current version here, unzip the package and overwrite the plugin´s files on your webserver.