WP-Safety

Zorem Local Pickup Security & Risk Analysis

wordpress.org/plugins/advanced-local-pickup-for-woocommerce

Zorem Local Pickup plugin enhances WooCommerce by streamlining in-store pickups, offering a dedicated workflow for local pickup fulfillment.

3K active installs v1.7.9 PHP 7.0+ WP 5.0+ Updated Feb 16, 2026
in-store-pickuplocal-pickupshippingshipping-optionswoocommerce
98
A · Safe
CVEs total5
Unpatched0
Last CVEApr 22, 2024
Plugin page Download
Safety Verdict

Is Zorem Local Pickup Safe to Use in 2026?

Generally Safe

Score 98/100

Zorem Local Pickup has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

5 known CVEsLast CVE: Apr 22, 2024Updated 3mo ago
Risk Assessment

The 'advanced-local-pickup-for-woocommerce' v1.7.9 plugin exhibits a mixed security posture. On the positive side, it demonstrates good practices by utilizing prepared statements for all SQL queries, implementing nonces for its AJAX handlers, and performing capability checks. The vast majority of its output is properly escaped, and there are no identified file operations or shortcodes, reducing potential attack vectors. However, several concerning signals emerge from the static analysis and vulnerability history. The presence of 9 instances of the 'unserialize' function, combined with 5 taint flows with unsanitized paths, suggests a significant risk of deserialization vulnerabilities, potentially leading to remote code execution or unauthorized access. The plugin's history of 5 CVEs, including one high-severity and four medium-severity vulnerabilities, with the most recent in April 2024, indicates a recurring pattern of security weaknesses. While no currently unpatched CVEs are listed, the past issues, particularly around SQL injection, CSRF, and missing authorization, coupled with the identified taint flows, warrant careful consideration. The plugin uses a bundled library, Select2, which, while not explicitly flagged as outdated, could be a potential vector if not kept up-to-date. In conclusion, while the plugin has strengths in its basic security implementations, the significant risks posed by the 'unserialize' function and unsanitized taint flows, compounded by its historical vulnerability record, present a notable security concern.

Key Concerns

  • 5 flows with unsanitized paths (taint analysis)
  • 9 dangerous functions ('unserialize' detected)
  • 1 high severity CVE in vulnerability history
  • 4 medium severity CVEs in vulnerability history
  • Bundled library (Select2)
Vulnerabilities
5 published

Zorem Local Pickup Security Vulnerabilities

CVEs by Year

3 CVEs in 2023
2023
2 CVEs in 2024
2024
Patched Has unpatched

Severity Breakdown

High
1
Medium
4

5 total CVEs

CVE-2024-32814medium · 6.5Missing Authorization

Advanced Local Pickup for WooCommerce <= 1.6.1 - Missing Authorization to Notice Dismissal

Apr 22, 2024 Patched in 1.6.2 (8d)
CVE-2024-31283medium · 6.5Missing Authorization

Advanced Local Pickup for WooCommerce <= 1.6.2 - Missing Authorization

Apr 5, 2024 Patched in 1.6.3 (6d)
CVE-2023-2841high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Advanced Local Pickup for WooCommerce <= 1.5.5 - Authenticated (Administrator+) SQL Injection

Oct 21, 2023 Patched in 1.6.0 (94d)
WF-0b3fa78c-d97f-43bf-b3e9-47d6aa41b458-advanced-local-pickup-for-woocommercemedium · 4.3Cross-Site Request Forgery (CSRF)

Advanced Local Pickup for WooCommerce <= 1.5.2 - Cross-Site Request Forgery

Mar 31, 2023 Patched in 1.5.3 (298d)
CVE-2022-40702medium · 4.3Missing Authorization

Advanced Local Pickup for WooCommerce <= 1.5.2 - Missing Authorization

Mar 28, 2023 Patched in 1.5.3 (301d)
Version History

Zorem Local Pickup Release Timeline

v1.7.9Current
v1.7.8
v1.7.7
v1.7.6
v1.7.5
v1.7.4
v1.7.3
v1.7.2
v1.7.1
v1.7.0
v1.6.9
v1.6.8
v1.6.7
v1.6.6
v1.6.5
v1.6.4
v1.6.3
v1.6.21 CVE
CVE-2024-31283
v1.6.12 CVEs
CVE-2024-31283 CVE-2024-32814
v1.6.02 CVEs
CVE-2024-31283 CVE-2024-32814
Code Analysis
Analyzed Mar 16, 2026

Zorem Local Pickup Code Analysis

Dangerous Functions
9
Raw SQL Queries
0
22 prepared
Unescaped Output
34
631 escaped
Nonce Checks
10
Capability Checks
9
File Operations
0
External Requests
1
Bundled Libraries
1

Dangerous Functions Found

unserialize$store_days = isset($location->store_days) ? unserialize($location->store_days) : get_option('wclp_sinclude\views\wclp-edit-location-form.php:195
unserialize$multi_checkbox_data = isset( $location->store_days ) ? unserialize($location->store_days) : get_optinclude\views\wclp-edit-location-form.php:332
unserialize$store_days = isset($location) ? unserialize($location->store_days) : array();include\views\wclp_pickup_location_instruction_preview.php:13
unserialize$store_days = isset($location->store_days) ? unserialize($location->store_days) : array();include\wc-local-pickup-admin.php:612
unserialize$store_days = isset($location->store_days) ? unserialize($location->store_days) : array();include\wc-local-pickup-admin.php:707
unserialize$store_days = isset($location->store_days) ? unserialize($location->store_days) : array();include\wc-local-pickup-admin.php:789
unserialize$multi_checkbox_data = unserialize($location->store_days);include\wc-local-pickup-admin.php:959
unserialize$store_days = unserialize($location->store_days);include\wc-local-pickup-admin.php:1106
unserialize$store_days = isset($location->store_days) ? unserialize($location->store_days) : array();include\wc-local-pickup-admin.php:1489

Bundled Libraries

Select2

SQL Query Safety

100% prepared22 total queries

Output Escaping

95% escaped665 total outputs
Data Flows · Security
5 unsanitized

Data Flow Analysis

10 flows5 with unsanitized paths
get_preview_func (include\customizer\customizer-admin.php:199)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Zorem Local Pickup Attack Surface

Entry Points7
Unprotected0

AJAX Handlers 7

authwp_ajax_wclp_setting_form_updateinclude\wc-local-pickup-admin.php:53
authwp_ajax_wclp_location_edit_form_updateinclude\wc-local-pickup-admin.php:54
authwp_ajax_wclp_update_state_dropdowninclude\wc-local-pickup-admin.php:77
authwp_ajax_wclp_update_work_hours_listinclude\wc-local-pickup-admin.php:78
authwp_ajax_wclp_update_edit_location_forminclude\wc-local-pickup-admin.php:79
authwp_ajax_wclp_apply_work_hoursinclude\wc-local-pickup-admin.php:80
authwp_ajax_reassign_order_statuswoo-advanced-local-pickup.php:171
WordPress Hooks 40
actionadmin_menuinclude\customizer\customizer-admin.php:66
actionrest_api_initinclude\customizer\customizer-admin.php:68
actionadmin_enqueue_scriptsinclude\customizer\customizer-admin.php:70
actionadmin_footerinclude\customizer\customizer-admin.php:72
filteralp_customizer_email_optionsinclude\customizer\customizer-admin.php:78
filteralp_customizer_preview_contentinclude\customizer\customizer-admin.php:79
filterwp_kses_allowed_htmlinclude\customizer\customizer-admin.php:219
filtersafe_style_cssinclude\customizer\customizer-admin.php:220
filterwp_mail_frominclude\customizer\customizer-admin.php:303
filterwp_mail_from_nameinclude\customizer\customizer-admin.php:304
actionadmin_menuinclude\wc-local-pickup-admin.php:50
actioninitinclude\wc-local-pickup-admin.php:57
filterwc_order_statusesinclude\wc-local-pickup-admin.php:60
filterbulk_actions-edit-shop_orderinclude\wc-local-pickup-admin.php:61
filterbulk_actions-woocommerce_page_wc-ordersinclude\wc-local-pickup-admin.php:62
filterwoocommerce_email_before_order_tableinclude\wc-local-pickup-admin.php:65
filterwoocommerce_email_before_order_tableinclude\wc-local-pickup-admin.php:68
filterwoocommerce_admin_order_actionsinclude\wc-local-pickup-admin.php:69
actionwoocommerce_view_orderinclude\wc-local-pickup-admin.php:71
actionwoocommerce_order_details_before_order_tableinclude\wc-local-pickup-admin.php:73
actionadmin_footerinclude\wc-local-pickup-admin.php:75
filterwoocommerce_valid_order_statuses_for_order_againinclude\wc-local-pickup-admin.php:82
filteradmin_body_classinclude\wc-local-pickup-admin.php:83
actionalp_settings_admin_noticeinclude\wclp-wc-admin-notices.php:40
actionadmin_noticesinclude\wclp-wc-admin-notices.php:42
actionadmin_initinclude\wclp-wc-admin-notices.php:43
actionplugins_loadedwoo-advanced-local-pickup.php:48
actionadmin_footerwoo-advanced-local-pickup.php:49
actionadmin_noticeswoo-advanced-local-pickup.php:110
actionupgrader_process_completewoo-advanced-local-pickup.php:157
actionplugins_loadedwoo-advanced-local-pickup.php:160
actionadmin_initwoo-advanced-local-pickup.php:163
actionadmin_enqueue_scriptswoo-advanced-local-pickup.php:166
filterwoocommerce_email_classeswoo-advanced-local-pickup.php:174
actionwoocommerce_order_status_ready-pickupwoo-advanced-local-pickup.php:175
actionwoocommerce_order_status_pickupwoo-advanced-local-pickup.php:176
actionbefore_woocommerce_initwoo-advanced-local-pickup.php:555
actionadmin_enqueue_scriptszorem-tracking\zorem-tracking.php:39
actioninitzorem-tracking\zorem-tracking.php:78
actionadmin_initzorem-tracking\zorem-tracking.php:80
Maintenance & Trust

Zorem Local Pickup Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 16, 2026
PHP min version7.0
Downloads149K

Community Trust

Rating94/100
Number of ratings55
Active installs3K
Alternatives

Zorem Local Pickup Alternatives

Hide Shipping Method For WooCommerce

Hide Shipping Method For WooCommerce

hide-shipping-method-for-woocommerce

A
99

Allows store owners to hide shipping methods based on specific conditions!

10K 1 CVE
No Shipping Message for WooCommerce

No Shipping Message for WooCommerce

wc-no-shipping-message

A
100

Allows you to customize the messages WooCommerce displays on the cart and checkout pages when no shipping methods are available.

3K No CVEs
ELEX Hide WooCommerce Shipping Methods

ELEX Hide WooCommerce Shipping Methods

elex-hide-woocommerce-shipping-methods-basic

A
100

The ELEX Hide WooCommerce Shipping Methods is a free plugin allows you to hide certain shipping methods based on shipping class, order weight, other e &hellip;

1K No CVEs
Shipping Notices and No shipping options found info for WooCommerce

Shipping Notices and No shipping options found info for WooCommerce

octolize-shipping-notices

A
100

Change 'no shipping options found' message in WooCommerce. Prevent cart abandonment with custom notices and instructions or contact info.

400 No CVEs
GoSweetSpot Shipping Options

GoSweetSpot Shipping Options

gosweetspot-shipping-options

A
100

Realtime address validated shipping options for your customers.

300 No CVEs
Developer Profile

Zorem Local Pickup Developer Profile

Zorem

4 plugins · 70K total installs

78
trust score
Avg Security Score
99/100
Avg Patch Time
274 days
View full developer profile
Detection Fingerprints

How We Detect Zorem Local Pickup

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/advanced-local-pickup-for-woocommerce/assets/css/admin-style.css/wp-content/plugins/advanced-local-pickup-for-woocommerce/assets/js/admin-script.js/wp-content/plugins/advanced-local-pickup-for-woocommerce/assets/js/frontend.js/wp-content/plugins/advanced-local-pickup-for-woocommerce/assets/css/frontend.css/wp-content/plugins/advanced-local-pickup-for-woocommerce/assets/js/vendor/jquery-ui.min.js/wp-content/plugins/advanced-local-pickup-for-woocommerce/assets/js/vendor/moment.min.js/wp-content/plugins/advanced-local-pickup-for-woocommerce/assets/js/vendor/datetimepicker.js/wp-content/plugins/advanced-local-pickup-for-woocommerce/assets/css/datetimepicker.css
Script Paths
/wp-content/plugins/advanced-local-pickup-for-woocommerce/assets/js/admin-script.js/wp-content/plugins/advanced-local-pickup-for-woocommerce/assets/js/frontend.js
Version Parameters
/wp-content/plugins/advanced-local-pickup-for-woocommerce/assets/css/admin-style.css?ver=/wp-content/plugins/advanced-local-pickup-for-woocommerce/assets/js/admin-script.js?ver=/wp-content/plugins/advanced-local-pickup-for-woocommerce/assets/js/frontend.js?ver=/wp-content/plugins/advanced-local-pickup-for-woocommerce/assets/css/frontend.css?ver=/wp-content/plugins/advanced-local-pickup-for-woocommerce/assets/js/vendor/jquery-ui.min.js?ver=/wp-content/plugins/advanced-local-pickup-for-woocommerce/assets/js/vendor/moment.min.js?ver=/wp-content/plugins/advanced-local-pickup-for-woocommerce/assets/js/vendor/datetimepicker.js?ver=/wp-content/plugins/advanced-local-pickup-for-woocommerce/assets/css/datetimepicker.css?ver=

HTML / DOM Fingerprints

CSS Classes
alp-pickup-location-details
HTML Comments
<!-- Zorem Local Pickup --><!-- Zorem Local Pickup End --><!-- Zorem Local Pickup admin --><!-- Zorem Local Pickup admin End -->
Data Attributes
data-alp-location-iddata-order-iddata-nonce
JS Globals
alp_admin_script_params
FAQ

Frequently Asked Questions about Zorem Local Pickup