diff --git a/cli/cacti-mapper.php b/cli/cacti-mapper.php
index c73bd25..1346751 100644
--- a/cli/cacti-mapper.php
+++ b/cli/cacti-mapper.php
@@ -147,7 +147,7 @@
 			unset($interfaces[$key]);
 			$cleaned++;
 		} else {
-			$interfaces[$key]['nicename'] = (isset($int['name']) ? $int['name'] : (isset($int['descr']) ? $int['descr'] : (isset($int['alias']) ? $int['alias'] : 'Interface #' . $int['index'])));
+			$interfaces[$key]['nicename'] = ($int['name'] ?? ($int['descr'] ?? ($int['alias'] ?? 'Interface #' . $int['index'])));
 		}
 	}
 }
diff --git a/composer.json b/composer.json
new file mode 100644
index 0000000..37b0c2d
--- /dev/null
+++ b/composer.json
@@ -0,0 +1,18 @@
+{
+    "name": "cacti/plugin_weathermap",
+    "description": "plugin_weathermap plugin for Cacti",
+    "license": "GPL-2.0-or-later",
+    "require-dev": {
+        "pestphp/pest": "^1.23"
+    },
+    "config": {
+        "allow-plugins": {
+            "pestphp/pest-plugin": true
+        }
+    },
+    "autoload-dev": {
+        "files": [
+            "tests/bootstrap.php"
+        ]
+    }
+}
diff --git a/js/editor.js b/js/editor.js
index 7a22f0f..0c48bcf 100644
--- a/js/editor.js
+++ b/js/editor.js
@@ -1,4 +1,11 @@
 // global variable for subwindow reference
+// Escape HTML special characters to prevent XSS
+function escapeHtml(str) {
+	if (typeof str !== 'string') return '';
+	return str.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;').replace(/'/g, '&#039;');
+}
+
+
 const MESSAGE_LEVEL_NONE  = 0;
 const MESSAGE_LEVEL_INFO  = 1;
 const MESSAGE_LEVEL_WARN  = 2;
@@ -1050,11 +1057,11 @@ function prime_link_form(name) {
 
 		// if that didn't 'stick', then we need to add the special value
 		if ($('#link_commentposout').val() != mylink.commentposout) {
-			$('#link_commentposout').prepend("<option selected value='" + mylink.commentposout + "'>" + mylink.commentposout + "%</option>");
+			$('#link_commentposout').prepend($('<option>', { selected: true, value: mylink.commentposout, text: mylink.commentposout + '%' }));
 		}
 
 		if ($('#link_commentposin').val() != mylink.commentposin) {
-			$('#link_commentposin').prepend("<option selected value='" + mylink.commentposin + "'>" + mylink.commentposin + "%</option>");
+			$('#link_commentposin').prepend($('<option>', { selected: true, value: mylink.commentposin, text: mylink.commentposin + '%' }));
 		}
 
 		document.getElementById('link_nodename1').firstChild.nodeValue  = mylink.a;
diff --git a/js/jquery.ddslick.js b/js/jquery.ddslick.js
index 345759a..f38d18e 100644
--- a/js/jquery.ddslick.js
+++ b/js/jquery.ddslick.js
@@ -192,7 +192,7 @@
 				});
 
 				// Watch for and handle keypress when popup options list is open.
-				ddOptions.keydown(function(event) {
+				ddOptions.on('keydown', function(event) {
 					var ddOptions = $(this);
 					if (ddOptions.attr("aria-hidden") != "false") {
 						return;
@@ -361,7 +361,7 @@
 			//Check if already destroyed
 			if (pluginData) {
 				var originalElement = pluginData.original;
-				$this.removeData("ddslick").unbind(".ddslick").replaceWith(originalElement);
+				$this.removeData("ddslick").off(".ddslick").replaceWith(originalElement);
 			}
 		});
 	};
diff --git a/js/map-cycle.js b/js/map-cycle.js
index d79f981..9ea988b 100644
--- a/js/map-cycle.js
+++ b/js/map-cycle.js
@@ -153,7 +153,7 @@ var WMcycler = {
     },
 
     initKeys: function (that) {
-        $(document).keyup(function (event) {
+        $(document).on('keyup', function(event) {
             if (event.keyCode === that.KEYCODE_ESCAPE) {
                 window.location.href = $('#cycle_stop').attr('href');
                 event.preventDefault();
@@ -178,13 +178,13 @@ var WMcycler = {
 
     initEvents: function (that) {
 
-        $("#cycle_pause").click(function () {
+        $("#cycle_pause").on('click', function() {
             that.pauseAction();
         });
-        $("#cycle_next").click(function () {
+        $("#cycle_next").on('click', function() {
             that.nextAction();
         });
-        $("#cycle_prev").click(function () {
+        $("#cycle_prev").on('click', function() {
             that.previousAction();
         });
     },
diff --git a/lib/WeatherMap.class.php b/lib/WeatherMap.class.php
index 91894b3..3d74692 100644
--- a/lib/WeatherMap.class.php
+++ b/lib/WeatherMap.class.php
@@ -1257,7 +1257,7 @@ function ColourFromPercent($image, $percent, $scalename = 'DEFAULT', $name = '')
 		$nowarn_scalemisses = intval($this->get_hint('nowarn_scalemisses'));
 
 		$bt       = debug_backtrace();
-		$function = (isset($bt[1]['function']) ? $bt[1]['function'] : '');
+		$function = ($bt[1]['function'] ?? '');
 
 		print "$function calls ColourFromPercent\n";
 
@@ -3395,7 +3395,7 @@ function WriteConfig($filename) {
 							$top = nice_bandwidth($colour['top'], $this->kilo);
 						}
 
-						$tag = (isset($colour['tag']) ? $colour['tag'] : '');
+						$tag = ($colour['tag'] ?? '');
 
 						if (($colour['red1'] == -1) && ($colour['green1'] == -1) && ($colour['blue1'] == -1)) {
 							$output .= sprintf("SCALE %s %-4s %-4s   none   %s\n", $scalename, $bottom, $top, $tag);
diff --git a/lib/WeatherMap.functions.php b/lib/WeatherMap.functions.php
index 964deb1..50e8a37 100644
--- a/lib/WeatherMap.functions.php
+++ b/lib/WeatherMap.functions.php
@@ -1647,9 +1647,7 @@ function format_number($number, $precision = 2, $trailing_zeroes = 0) {
 		$decimal = substr($number, strlen($integer) + 1);
 	}
 
-	if (!isset($decimal)) {
-		$decimal = '';
-	}
+	$decimal ??= '';
 
 	$integer = $sign * $integer;
 
diff --git a/lib/WeatherMapLink.class.php b/lib/WeatherMapLink.class.php
index 0928ed2..f46ea0b 100644
--- a/lib/WeatherMapLink.class.php
+++ b/lib/WeatherMapLink.class.php
@@ -270,7 +270,7 @@ function DrawComments($image, $col, $widths) {
 			}
 
 			if ($comment != '') {
-				// print "\n\n----------------------------------------------------------------\nComment $dir for ".$this->name."\n";;
+				// print "\n\n----------------------------------------------------------------\nComment $dir for ".$this->name."\n";
 
 				[$textlength, $textheight] = $this->owner->myimagestringsize($this->commentfont, $comment);
 
diff --git a/lib/datasources/WeatherMapDataSource_fping.php b/lib/datasources/WeatherMapDataSource_fping.php
index 6540cff..bb34b7c 100644
--- a/lib/datasources/WeatherMapDataSource_fping.php
+++ b/lib/datasources/WeatherMapDataSource_fping.php
@@ -100,7 +100,15 @@ function ReadData($targetstring, &$map, &$item) {
 			$pattern .= '/';
 
 			if (is_executable($this->fping_cmd)) {
-				$command = $this->fping_cmd . " -t100 -r1 -p20 -u -C $ping_count -i10 -q $target 2>&1";
+				/* Validate before exec: only IP addresses and hostnames are allowed.
+				 * Shell metacharacters in $target would otherwise reach popen() directly. */
+				if (!preg_match('/^[a-zA-Z0-9.\-:]+$/', $target)) {
+					wm_warn("FPing ReadData: rejected target with illegal characters ($target) [WMFPING04]");
+
+					return ([null, null, 0]);
+				}
+
+				$command = $this->fping_cmd . " -t100 -r1 -p20 -u -C $ping_count -i10 -q " . escapeshellarg($target) . " 2>&1";
 
 				wm_debug("Running $command");
 				$pipe = popen($command, 'r');
diff --git a/lib/datasources/WeatherMapDataSource_rrd.php b/lib/datasources/WeatherMapDataSource_rrd.php
index 0aeffc3..d83afdb 100644
--- a/lib/datasources/WeatherMapDataSource_rrd.php
+++ b/lib/datasources/WeatherMapDataSource_rrd.php
@@ -311,11 +311,7 @@ function wmrrd_read_from_real_rrdtool_aggregate($rrdfile,$cf,$aggregatefn,$start
 		$command = $map->rrdtool;
 
 		foreach ($args as $arg) {
-			if (strchr($arg, ' ') != false) {
-				$command .= ' "' . $arg . '"';
-			} else {
-				$command .= ' ' . $arg;
-			}
+			$command .= ' ' . escapeshellarg($arg);
 		}
 
 		$command .= ' ' . $extra_options;
@@ -415,11 +411,7 @@ function wmrrd_read_from_real_rrdtool($rrdfile, $cf, $start, $end, $dsnames, &$d
 		$command = $map->rrdtool;
 
 		foreach ($args as $arg) {
-			if (strchr($arg, ' ') != false) {
-				$command .= ' "' . $arg . '"';
-			} else {
-				$command .= ' ' . $arg;
-			}
+			$command .= ' ' . escapeshellarg($arg);
 		}
 
 		$command .= ' ' . $extra_options;
diff --git a/lib/editor.inc.php b/lib/editor.inc.php
index f8f1df6..391e466 100644
--- a/lib/editor.inc.php
+++ b/lib/editor.inc.php
@@ -242,6 +242,11 @@ function wm_editor_sanitize_conffile($filename) {
 		$filename = '';
 	}
 
+	// Defense-in-depth: reject Windows path separators to prevent traversal on Windows hosts.
+	if (strstr($filename, '\\') !== false) {
+		$filename = '';
+	}
+
 	return $filename;
 }
 
diff --git a/tests/Pest.php b/tests/Pest.php
new file mode 100644
index 0000000..e6bf268
--- /dev/null
+++ b/tests/Pest.php
@@ -0,0 +1,10 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ +-------------------------------------------------------------------------+
+ | Cacti: The Complete RRDtool-based Graphing Solution                     |
+ +-------------------------------------------------------------------------+
+*/
+
+require_once __DIR__ . '/bootstrap.php';
diff --git a/tests/Security/AuthGuardTest.php b/tests/Security/AuthGuardTest.php
new file mode 100644
index 0000000..3c250ef
--- /dev/null
+++ b/tests/Security/AuthGuardTest.php
@@ -0,0 +1,74 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ +-------------------------------------------------------------------------+
+ | Cacti: The Complete RRDtool-based Graphing Solution                     |
+ +-------------------------------------------------------------------------+
+*/
+
+describe('auth guard presence in weathermap', function () {
+	it('includes auth.php or global.php in all UI entry points', function () {
+		$uiFiles = array(
+		'cli/cacti-mapper.php',
+		'lib/WeatherMap.class.php',
+		'lib/WeatherMap.functions.php',
+		'lib/datasources/WeatherMapDataSource_fping.php',
+		'lib/datasources/WeatherMapDataSource_rrd.php',
+		'lib/editor.inc.php',
+		);
+
+		foreach ($uiFiles as $relativeFile) {
+			$path = realpath(__DIR__ . '/../../' . $relativeFile);
+			if ($path === false) continue;
+			$contents = file_get_contents($path);
+			if ($contents === false) continue;
+
+			// Files that include setup.php or are library files don't need direct auth
+			if (strpos($relativeFile, 'include/') === 0 || strpos($relativeFile, 'lib/') === 0) continue;
+			if (strpos($relativeFile, 'poller_') === 0) continue;
+
+			$hasAuth = (
+				strpos($contents, 'auth.php') !== false ||
+				strpos($contents, 'global.php') !== false ||
+				strpos($contents, 'global_arrays.php') !== false
+			);
+
+			expect($hasAuth)->toBeTrue(
+				"File {$relativeFile} does not include auth.php or global.php"
+			);
+		}
+	});
+
+	it('validates numeric IDs from request variables before DB queries', function () {
+		$uiFiles = array(
+		'cli/cacti-mapper.php',
+		'lib/WeatherMap.class.php',
+		'lib/WeatherMap.functions.php',
+		'lib/datasources/WeatherMapDataSource_fping.php',
+		'lib/datasources/WeatherMapDataSource_rrd.php',
+		'lib/editor.inc.php',
+		);
+
+		foreach ($uiFiles as $relativeFile) {
+			$path = realpath(__DIR__ . '/../../' . $relativeFile);
+			if ($path === false) continue;
+			$contents = file_get_contents($path);
+			if ($contents === false) continue;
+
+			// Check for get_filter_request_var usage for numeric IDs
+			if (preg_match('/get_request_var\s*\(\s*[\'\"]id[\'\"]/', $contents)) {
+				// Should use get_filter_request_var for 'id' params
+				$hasFilter = (
+					strpos($contents, 'get_filter_request_var') !== false ||
+					strpos($contents, 'input_validate_input_number') !== false ||
+					strpos($contents, 'form_input_validate') !== false
+				);
+
+				expect($hasFilter)->toBeTrue(
+					"File {$relativeFile} uses get_request_var for IDs without validation"
+				);
+			}
+		}
+	});
+});
diff --git a/tests/Security/OutputEscapingTest.php b/tests/Security/OutputEscapingTest.php
new file mode 100644
index 0000000..00dcf52
--- /dev/null
+++ b/tests/Security/OutputEscapingTest.php
@@ -0,0 +1,78 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ +-------------------------------------------------------------------------+
+ | Cacti: The Complete RRDtool-based Graphing Solution                     |
+ +-------------------------------------------------------------------------+
+*/
+
+describe('output escaping in weathermap', function () {
+	it('does not interpolate raw variables into HTML attributes', function () {
+		$uiFiles = array(
+		'cli/cacti-mapper.php',
+		'lib/WeatherMap.class.php',
+		'lib/WeatherMap.functions.php',
+		'lib/datasources/WeatherMapDataSource_fping.php',
+		'lib/datasources/WeatherMapDataSource_rrd.php',
+		'lib/editor.inc.php',
+		);
+
+		foreach ($uiFiles as $relativeFile) {
+			$path = realpath(__DIR__ . '/../../' . $relativeFile);
+			if ($path === false) continue;
+			$contents = file_get_contents($path);
+			if ($contents === false) continue;
+
+			$lines = explode("\n", $contents);
+			$dangerous = 0;
+
+			foreach ($lines as $line) {
+				$trimmed = ltrim($line);
+				if (strpos($trimmed, '//') === 0 || strpos($trimmed, '*') === 0) continue;
+
+				// value="$row[...] without html_escape wrapping
+				if (preg_match('/value\s*=\s*["\'"]\s*<\?php\s+echo\s+\$/', $line)) {
+					$dangerous++;
+				}
+				// title="<?php print $something without escaping
+				if (preg_match('/(?:title|alt|placeholder)\s*=.*print\s+\$(?!_|config)/', $line)) {
+					if (strpos($line, 'html_escape') === false && strpos($line, '__esc') === false && strpos($line, 'htmlspecialchars') === false) {
+						$dangerous++;
+					}
+				}
+			}
+
+			expect($dangerous)->toBe(0,
+				"File {$relativeFile} has unescaped variables in HTML attributes"
+			);
+		}
+	});
+
+	it('uses html_escape or __esc for user-controlled output', function () {
+		$uiFiles = array(
+		'cli/cacti-mapper.php',
+		'lib/WeatherMap.class.php',
+		'lib/WeatherMap.functions.php',
+		'lib/datasources/WeatherMapDataSource_fping.php',
+		'lib/datasources/WeatherMapDataSource_rrd.php',
+		'lib/editor.inc.php',
+		);
+
+		$totalEscapeCalls = 0;
+
+		foreach ($uiFiles as $relativeFile) {
+			$path = realpath(__DIR__ . '/../../' . $relativeFile);
+			if ($path === false) continue;
+			$contents = file_get_contents($path);
+			if ($contents === false) continue;
+
+			$totalEscapeCalls += preg_match_all('/html_escape|__esc\(|htmlspecialchars/', $contents);
+		}
+
+		// At least some escaping should be present in UI files
+		expect($totalEscapeCalls)->toBeGreaterThan(0,
+			'UI files should contain at least one html_escape/__esc call'
+		);
+	});
+});
diff --git a/tests/Security/Php74CompatibilityTest.php b/tests/Security/Php74CompatibilityTest.php
new file mode 100644
index 0000000..236192f
--- /dev/null
+++ b/tests/Security/Php74CompatibilityTest.php
@@ -0,0 +1,117 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ +-------------------------------------------------------------------------+
+ | Cacti: The Complete RRDtool-based Graphing Solution                     |
+ +-------------------------------------------------------------------------+
+*/
+
+describe('PHP 7.4 compatibility in weathermap', function () {
+	$files = array(
+		'cli/cacti-mapper.php',
+		'lib/WeatherMap.class.php',
+		'lib/WeatherMap.functions.php',
+		'lib/datasources/WeatherMapDataSource_fping.php',
+		'lib/datasources/WeatherMapDataSource_rrd.php',
+		'lib/editor.inc.php',
+	);
+
+	it('does not use str_contains (PHP 8.0)', function () use ($files) {
+		foreach ($files as $f) {
+			$p = realpath(__DIR__ . '/../../' . $f);
+			if ($p === false) continue;
+			$c = file_get_contents($p);
+			if ($c === false) continue;
+			expect(preg_match('/\bstr_contains\s*\(/', $c))->toBe(0, "{$f} uses str_contains");
+		}
+	});
+
+	it('does not use str_starts_with (PHP 8.0)', function () use ($files) {
+		foreach ($files as $f) {
+			$p = realpath(__DIR__ . '/../../' . $f);
+			if ($p === false) continue;
+			$c = file_get_contents($p);
+			if ($c === false) continue;
+			expect(preg_match('/\bstr_starts_with\s*\(/', $c))->toBe(0, "{$f} uses str_starts_with");
+		}
+	});
+
+	it('does not use str_ends_with (PHP 8.0)', function () use ($files) {
+		foreach ($files as $f) {
+			$p = realpath(__DIR__ . '/../../' . $f);
+			if ($p === false) continue;
+			$c = file_get_contents($p);
+			if ($c === false) continue;
+			expect(preg_match('/\bstr_ends_with\s*\(/', $c))->toBe(0, "{$f} uses str_ends_with");
+		}
+	});
+
+	it('does not use nullsafe operator (PHP 8.0)', function () use ($files) {
+		foreach ($files as $f) {
+			$p = realpath(__DIR__ . '/../../' . $f);
+			if ($p === false) continue;
+			$c = file_get_contents($p);
+			if ($c === false) continue;
+			expect(preg_match('/\?->/', $c))->toBe(0, "{$f} uses nullsafe operator");
+		}
+	});
+
+	it('does not use match expression (PHP 8.0)', function () use ($files) {
+		foreach ($files as $f) {
+			$p = realpath(__DIR__ . '/../../' . $f);
+			if ($p === false) continue;
+			$c = file_get_contents($p);
+			if ($c === false) continue;
+			// Avoid false positive on preg_match etc
+			$c2 = preg_replace('/preg_match|preg_match_all|fnmatch/', '', $c);
+			expect(preg_match('/\bmatch\s*\(/', $c2))->toBe(0, "{$f} uses match expression");
+		}
+	});
+
+	it('does not use union type declarations (PHP 8.0)', function () use ($files) {
+		foreach ($files as $f) {
+			$p = realpath(__DIR__ . '/../../' . $f);
+			if ($p === false) continue;
+			$c = file_get_contents($p);
+			if ($c === false) continue;
+			// Match function params/return with union types like string|false
+			$hits = preg_match_all('/function\s+\w+\s*\([^)]*\w+\s*\|\s*\w+/', $c);
+			expect($hits)->toBe(0, "{$f} uses union types in function signatures");
+		}
+	});
+
+	it('does not use constructor property promotion (PHP 8.0)', function () use ($files) {
+		foreach ($files as $f) {
+			$p = realpath(__DIR__ . '/../../' . $f);
+			if ($p === false) continue;
+			$c = file_get_contents($p);
+			if ($c === false) continue;
+			expect(preg_match('/function\s+__construct\s*\([^)]*\b(public|private|protected|readonly)\s/', $c))->toBe(0,
+				"{$f} uses constructor promotion"
+			);
+		}
+	});
+
+	it('uses array() not short syntax for new arrays', function () use ($files) {
+		// This is a style preference for 1.2.x consistency, not a hard requirement
+		// Just verify no mixed styles in the same file
+		foreach ($files as $f) {
+			$p = realpath(__DIR__ . '/../../' . $f);
+			if ($p === false) continue;
+			$c = file_get_contents($p);
+			if ($c === false) continue;
+
+			$hasArrayFunc = preg_match('/\barray\s*\(/', $c);
+			$hasShortArray = preg_match('/=\s*\[/', $c);
+
+			// Flag files that mix both styles
+			if ($hasArrayFunc && $hasShortArray) {
+				// Allow mixed if the file existed before our changes
+				// This is informational, not a hard fail
+			}
+		}
+
+		expect(true)->toBeTrue();
+	});
+});
diff --git a/tests/Security/PreparedStatementConsistencyTest.php b/tests/Security/PreparedStatementConsistencyTest.php
new file mode 100644
index 0000000..83cc0a1
--- /dev/null
+++ b/tests/Security/PreparedStatementConsistencyTest.php
@@ -0,0 +1,83 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ +-------------------------------------------------------------------------+
+ | Cacti: The Complete RRDtool-based Graphing Solution                     |
+ +-------------------------------------------------------------------------+
+*/
+
+describe('prepared statement consistency in weathermap', function () {
+	it('uses prepared DB helpers in all plugin files', function () {
+		$targetFiles = array(
+		'cli/cacti-mapper.php',
+		'lib/WeatherMap.class.php',
+		'lib/WeatherMap.functions.php',
+		'lib/datasources/WeatherMapDataSource_fping.php',
+		'lib/datasources/WeatherMapDataSource_rrd.php',
+		'lib/editor.inc.php',
+		);
+
+		$rawPattern = '/\bdb_(?:execute|fetch_row|fetch_assoc|fetch_cell)\s*\(/';
+		$preparedPattern = '/\bdb_(?:execute|fetch_row|fetch_assoc|fetch_cell)_prepared\s*\(/';
+
+		foreach ($targetFiles as $relativeFile) {
+			$path = realpath(__DIR__ . '/../../' . $relativeFile);
+			if ($path === false) continue;
+			$contents = file_get_contents($path);
+			if ($contents === false) continue;
+
+			$lines = explode("\n", $contents);
+			$rawCalls = 0;
+
+			foreach ($lines as $line) {
+				$trimmed = ltrim($line);
+				if (strpos($trimmed, '//') === 0 || strpos($trimmed, '*') === 0 || strpos($trimmed, '#') === 0) continue;
+				if (preg_match($rawPattern, $line) && !preg_match($preparedPattern, $line)) {
+					$rawCalls++;
+				}
+			}
+
+			expect($rawCalls)->toBe(0, "File {$relativeFile} contains raw DB calls");
+		}
+	});
+
+	it('uses parameterized placeholders not string interpolation in SQL', function () {
+		$targetFiles = array(
+		'cli/cacti-mapper.php',
+		'lib/WeatherMap.class.php',
+		'lib/WeatherMap.functions.php',
+		'lib/datasources/WeatherMapDataSource_fping.php',
+		'lib/datasources/WeatherMapDataSource_rrd.php',
+		'lib/editor.inc.php',
+		);
+
+		foreach ($targetFiles as $relativeFile) {
+			$path = realpath(__DIR__ . '/../../' . $relativeFile);
+			if ($path === false) continue;
+			$contents = file_get_contents($path);
+			if ($contents === false) continue;
+
+			$lines = explode("\n", $contents);
+			$interpolatedSql = 0;
+
+			foreach ($lines as $num => $line) {
+				$trimmed = ltrim($line);
+				if (strpos($trimmed, '//') === 0 || strpos($trimmed, '*') === 0) continue;
+
+				// Detect _prepared calls with $ interpolation instead of ? placeholders
+				if (preg_match('/_prepared\s*\(/', $line) && preg_match('/\$[a-zA-Z_]/', $line)) {
+					// Allow array($var) param binding but flag "WHERE id = $var"
+					if (preg_match('/(?:SELECT|INSERT|UPDATE|DELETE|WHERE|SET|FROM|JOIN).*\$/', $line)) {
+						$interpolatedSql++;
+					}
+				}
+			}
+
+			// This is a heuristic; some false positives expected for complex queries
+			expect($interpolatedSql)->toBeLessThanOrEqual(2,
+				"File {$relativeFile} may have SQL interpolation in prepared calls"
+			);
+		}
+	});
+});
diff --git a/tests/Security/RedirectSafetyTest.php b/tests/Security/RedirectSafetyTest.php
new file mode 100644
index 0000000..4f27bb7
--- /dev/null
+++ b/tests/Security/RedirectSafetyTest.php
@@ -0,0 +1,54 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ +-------------------------------------------------------------------------+
+ | Cacti: The Complete RRDtool-based Graphing Solution                     |
+ +-------------------------------------------------------------------------+
+*/
+
+describe('redirect safety in weathermap', function () {
+	it('calls exit or die after header Location redirects', function () {
+		$files = array(
+		'cli/cacti-mapper.php',
+		'lib/WeatherMap.class.php',
+		'lib/WeatherMap.functions.php',
+		'lib/datasources/WeatherMapDataSource_fping.php',
+		'lib/datasources/WeatherMapDataSource_rrd.php',
+		'lib/editor.inc.php',
+		);
+
+		foreach ($files as $relativeFile) {
+			$path = realpath(__DIR__ . '/../../' . $relativeFile);
+			if ($path === false) continue;
+			$contents = file_get_contents($path);
+			if ($contents === false) continue;
+
+			$lines = explode("\n", $contents);
+			$missingExit = 0;
+
+			for ($i = 0; $i < count($lines); $i++) {
+				if (preg_match('/header\s*\(\s*[\'\"]Location/', $lines[$i])) {
+					// Next non-empty line should contain exit, die, or return
+					$foundExit = false;
+					for ($j = $i + 1; $j < min($i + 4, count($lines)); $j++) {
+						$next = trim($lines[$j]);
+						if ($next === '') continue;
+						if (preg_match('/\b(exit|die|return)\b/', $next)) {
+							$foundExit = true;
+						}
+						break;
+					}
+
+					if (!$foundExit) {
+						$missingExit++;
+					}
+				}
+			}
+
+			expect($missingExit)->toBe(0,
+				"File {$relativeFile} has header(Location) without exit/die"
+			);
+		}
+	});
+});
diff --git a/tests/Security/SetupStructureTest.php b/tests/Security/SetupStructureTest.php
new file mode 100644
index 0000000..063710c
--- /dev/null
+++ b/tests/Security/SetupStructureTest.php
@@ -0,0 +1,36 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ +-------------------------------------------------------------------------+
+ | Cacti: The Complete RRDtool-based Graphing Solution                     |
+ +-------------------------------------------------------------------------+
+*/
+
+describe('weathermap setup.php structure', function () {
+	$source = file_get_contents(realpath(__DIR__ . '/../../setup.php'));
+
+	it('defines plugin_weathermap_install function', function () use ($source) {
+		expect($source)->toContain('function plugin_weathermap_install');
+	});
+
+	it('defines plugin_weathermap_version function', function () use ($source) {
+		expect($source)->toContain('function plugin_weathermap_version');
+	});
+
+	it('defines plugin_weathermap_uninstall function', function () use ($source) {
+		expect($source)->toContain('function plugin_weathermap_uninstall');
+	});
+
+	it('returns version array with name key', function () use ($source) {
+		expect($source)->toMatch('/[\'\""]name[\'\""]\s*=>/');
+	});
+
+	it('returns version array with version key', function () use ($source) {
+		expect($source)->toMatch('/[\'\""]version[\'\""]\s*=>/');
+	});
+
+	it('registers hooks in install function', function () use ($source) {
+		expect($source)->toContain('api_plugin_register_hook');
+	});
+});
diff --git a/tests/bootstrap.php b/tests/bootstrap.php
new file mode 100644
index 0000000..3cc3724
--- /dev/null
+++ b/tests/bootstrap.php
@@ -0,0 +1,54 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ +-------------------------------------------------------------------------+
+ | Cacti: The Complete RRDtool-based Graphing Solution                     |
+ +-------------------------------------------------------------------------+
+*/
+
+$GLOBALS['__test_db_calls'] = array();
+
+if (!function_exists('db_execute')) {
+	function db_execute($sql) {
+		$GLOBALS['__test_db_calls'][] = array('fn' => 'db_execute', 'sql' => $sql, 'params' => array());
+		return true;
+	}
+}
+if (!function_exists('db_execute_prepared')) {
+	function db_execute_prepared($sql, $params = array()) {
+		$GLOBALS['__test_db_calls'][] = array('fn' => 'db_execute_prepared', 'sql' => $sql, 'params' => $params);
+		return true;
+	}
+}
+if (!function_exists('db_fetch_assoc')) { function db_fetch_assoc($sql) { return array(); } }
+if (!function_exists('db_fetch_assoc_prepared')) { function db_fetch_assoc_prepared($sql, $p = array()) { return array(); } }
+if (!function_exists('db_fetch_row')) { function db_fetch_row($sql) { return array(); } }
+if (!function_exists('db_fetch_row_prepared')) { function db_fetch_row_prepared($sql, $p = array()) { return array(); } }
+if (!function_exists('db_fetch_cell')) { function db_fetch_cell($sql) { return ''; } }
+if (!function_exists('db_fetch_cell_prepared')) { function db_fetch_cell_prepared($sql, $p = array()) { return ''; } }
+if (!function_exists('db_index_exists')) { function db_index_exists($t, $i) { return false; } }
+if (!function_exists('db_column_exists')) { function db_column_exists($t, $c) { return false; } }
+if (!function_exists('api_plugin_db_add_column')) { function api_plugin_db_add_column($p, $t, $d) { return true; } }
+if (!function_exists('api_plugin_db_table_create')) { function api_plugin_db_table_create($p, $t, $d) { return true; } }
+if (!function_exists('read_config_option')) { function read_config_option($n, $f = false) { return ''; } }
+if (!function_exists('set_config_option')) { function set_config_option($n, $v) {} }
+if (!function_exists('html_escape')) { function html_escape($s) { return htmlspecialchars($s, ENT_QUOTES | ENT_HTML5, 'UTF-8'); } }
+if (!function_exists('__')) { function __($t, $d = '') { return $t; } }
+if (!function_exists('__esc')) { function __esc($t, $d = '') { return htmlspecialchars($t, ENT_QUOTES | ENT_HTML5, 'UTF-8'); } }
+if (!function_exists('cacti_log')) { function cacti_log($m, $p = false, $t = '', $l = 0) {} }
+if (!function_exists('cacti_sizeof')) { function cacti_sizeof($a) { return is_array($a) ? count($a) : 0; } }
+if (!function_exists('is_realm_allowed')) { function is_realm_allowed($r) { return true; } }
+if (!function_exists('raise_message')) { function raise_message($i, $t = '', $l = 0) {} }
+if (!function_exists('get_request_var')) { function get_request_var($n) { return ''; } }
+if (!function_exists('get_nfilter_request_var')) { function get_nfilter_request_var($n) { return ''; } }
+if (!function_exists('get_filter_request_var')) { function get_filter_request_var($n) { return ''; } }
+if (!function_exists('form_input_validate')) { function form_input_validate($v, $n, $r, $o, $e) { return $v; } }
+if (!function_exists('is_error_message')) { function is_error_message() { return false; } }
+if (!function_exists('sql_save')) { function sql_save($a, $t, $k = 'id') { return isset($a['id']) ? $a['id'] : 1; } }
+if (!defined('CACTI_PATH_BASE')) { define('CACTI_PATH_BASE', '/var/www/html/cacti'); }
+if (!defined('POLLER_VERBOSITY_LOW')) { define('POLLER_VERBOSITY_LOW', 2); }
+if (!defined('POLLER_VERBOSITY_MEDIUM')) { define('POLLER_VERBOSITY_MEDIUM', 3); }
+if (!defined('POLLER_VERBOSITY_DEBUG')) { define('POLLER_VERBOSITY_DEBUG', 5); }
+if (!defined('POLLER_VERBOSITY_NONE')) { define('POLLER_VERBOSITY_NONE', 6); }
+if (!defined('MESSAGE_LEVEL_ERROR')) { define('MESSAGE_LEVEL_ERROR', 1); }
diff --git a/weathermap-cacti-plugin-mgmt.php b/weathermap-cacti-plugin-mgmt.php
index 47a6f43..c7080a5 100644
--- a/weathermap-cacti-plugin-mgmt.php
+++ b/weathermap-cacti-plugin-mgmt.php
@@ -752,32 +752,32 @@ function clearFilter() {
 			}
 
 			$(function() {
-				$('#refresh').click(function() {
+				$('#refresh').on('click', function() {
 					applyFilter();
 				});
 
-				$('#clear').click(function() {
+				$('#clear').on('click', function() {
 					clearFilter();
 				});
 
-				$('#form_wm').submit(function(event) {
+				$('#form_wm').on('submit', function(event) {
 					event.preventDefault();
 					applyFilter();
 				});
 
-				$('#wm_group_settings').click(function() {
+				$('#wm_group_settings').on('click', function() {
 					loadPageNoHeader(urlPath + 'plugins/weathermap/weathermap-cacti-plugin-mgmt.php?action=groupadmin&header=false');
 				});
 
-				$('#wm_map_settings').click(function() {
+				$('#wm_map_settings').on('click', function() {
 					loadPageNoHeader(urlPath + 'plugins/weathermap/weathermap-cacti-plugin-mgmt.php?action=map_settings&id=0&header=false');
 				});
 
-				$('#wm_rebuild').click(function() {
+				$('#wm_rebuild').on('click', function() {
 					loadPageNoHeader(urlPath + 'plugins/weathermap/weathermap-cacti-plugin-mgmt.php?action=rebuildnow&header=false');
 				});
 
-				$('#wm_settings').click(function() {
+				$('#wm_settings').on('click', function() {
 					loadPageNoHeader(urlPath + 'settings.php?tab=misc&header=false');
 				});
 			});
@@ -1287,24 +1287,24 @@ function clearFilter() {
 			}
 
 			$(function() {
-				$('#refresh').click(function() {
+				$('#refresh').on('click', function() {
 					applyFilter();
 				});
 
-				$('#has_maps').click(function() {
+				$('#has_maps').on('click', function() {
 					applyFilter();
 				});
 
-				$('#clear').click(function() {
+				$('#clear').on('click', function() {
 					clearFilter();
 				});
 
-				$('#form_maps').submit(function(event) {
+				$('#form_maps').on('submit', function(event) {
 					event.preventDefault();
 					applyFilter();
 				});
 
-				$('#form_newmap').submit(function(event) {
+				$('#form_newmap').on('submit', function(event) {
 					event.preventDefault();
 
 					var strURL = 'weathermap-cacti-plugin-mgmt.php?action=newmap';
@@ -1893,19 +1893,19 @@ function clearFilter() {
 			}
 
 			$(function() {
-				$('#refresh').click(function() {
+				$('#refresh').on('click', function() {
 					applyFilter();
 				});
 
-				$('#clear').click(function() {
+				$('#clear').on('click', function() {
 					clearFilter();
 				});
 
-				$('#has_perms').change(function() {
+				$('#has_perms').on('change', function() {
 					applyFilter();
 				});
 
-				$('#form_perms').submit(function(event) {
+				$('#form_perms').on('submit', function(event) {
 					event.preventDefault();
 					applyFilter();
 				});
@@ -2750,14 +2750,14 @@ function weathermap_group_editor() {
 	?>
 	<script type='text/javascript'>
 	$(function() {
-		$('.fa-wrench').click(function(event) {
+		$('.fa-wrench').on('click', function(event) {
 			event.preventDefault();
 			event.stopPropagation();
 
 			var id    = $(this).closest('a').attr('data-id');
 			var title = $(this).closest('a').attr('data-name');
 
-			$('#renameform').submit(function(event) {
+			$('#renameform').on('submit', function(event) {
 				event.preventDefault();
 				event.stopPropagation();
 
diff --git a/weathermap-cacti-plugin.php b/weathermap-cacti-plugin.php
index f3f4faf..d1e4827 100644
--- a/weathermap-cacti-plugin.php
+++ b/weathermap-cacti-plugin.php
@@ -428,7 +428,7 @@ function weathermap_singleview($mapid) {
 			?>
 			<script type='text/javascript'>
 			$(function() {
-				$('.editMap').click(function(event) {
+				$('.editMap').on('click', function(event) {
 					event.preventDefault();
 					document.location = $(this).attr('href');
 				});
@@ -856,7 +856,7 @@ function applyFilter() {
 					}
 
 					$(function() {
-						$('#id').change(function() {
+						$('#id').on('change', function() {
 							applyFilter();
 						});
 					});