Does BOX NOW Delivery have any unpatched vulnerabilities?

Yes — BOX NOW Delivery currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is BOX NOW Delivery compatible with WordPress 6.8.5?

According to WordPress.org data, BOX NOW Delivery 3.0.2 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is BOX NOW Delivery compatible with PHP 7.0+?

BOX NOW Delivery requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is BOX NOW Delivery updated?

BOX NOW Delivery was last updated on Dec 3, 2025. Frequent updates are generally a positive security signal.

What is BOX NOW Delivery's security score?

BOX NOW Delivery has a WP-Safety security score of 78/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

BOX NOW Delivery Security & Risk Analysis

wordpress.org/plugins/box-now-delivery

BOX NOW the future of parcel delivery.

5K active installs v3.0.2 PHP 7.0+ WP 6.2+ Updated Dec 3, 2025

boxnowdelivery

B · Generally Safe

CVEs total1

Unpatched1

Last CVEJan 21, 2026

Download

Safety Verdict

Is BOX NOW Delivery Safe to Use in 2026?

Mostly Safe

Score 78/100

BOX NOW Delivery is generally safe to use. 1 past CVE were resolved. Keep it updated.

1 known CVE 1 unpatched Last CVE: Jan 21, 2026Updated 4mo ago

Risk Assessment

The "box-now-delivery" plugin v3.0.2 exhibits a concerning security posture primarily due to a significant number of unprotected AJAX handlers. While the plugin demonstrates good practices by utilizing prepared statements for all SQL queries and largely escaping output, the lack of authorization checks on 9 out of 12 entry points creates a substantial attack surface. The taint analysis did not reveal any critical or high-severity vulnerabilities, which is a positive sign. However, the presence of unsanitized paths in 5 out of 7 analyzed flows warrants further investigation, as these could potentially lead to issues if exploited in conjunction with other vulnerabilities.

The plugin's vulnerability history is a major red flag. It has a known, unpatched medium-severity CVE from early 2026, and the pattern of past vulnerabilities indicates a recurring issue with missing authorization. This suggests a consistent oversight in securing critical functionalities within the plugin. Despite the positive aspects like secure SQL handling and good output escaping, the combination of a large number of unprotected AJAX endpoints and a history of authorization-related vulnerabilities points to a medium-to-high overall risk for websites using this plugin.

Key Concerns

9 out of 12 AJAX handlers without auth checks
1 unpatched medium severity CVE
5 flows with unsanitized paths
3 nonce checks, but 9 AJAX handlers unprotected

Vulnerabilities

BOX NOW Delivery Security Vulnerabilities

CVEs by Year

1 CVE in 2026 · unpatched

2026

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2026-24571medium · 4.3Missing Authorization

BOX NOW Delivery <= 3.0.2 - Missing Authorization

Jan 21, 2026Unpatched

Code Analysis

Analyzed Mar 16, 2026

BOX NOW Delivery Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

111 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

93% escaped119 total outputs

Data Flows

5 unsanitized

Data Flow Analysis

7 flows5 with unsanitized paths

boxnow_cancel_voucher_ajax_handler (box-now-delivery.php:893)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

9 unprotected

BOX NOW Delivery Attack Surface

Entry Points12

Unprotected9

AJAX Handlers 12

authwp_ajax_boxnow_set_lockerbox-now-delivery.php:799

noprivwp_ajax_boxnow_set_lockerbox-now-delivery.php:800

authwp_ajax_bndp_set_boxnow_lockerbox-now-delivery.php:801

noprivwp_ajax_bndp_set_boxnow_lockerbox-now-delivery.php:802

authwp_ajax_bndp_clear_boxnow_lockerbox-now-delivery.php:812

authwp_ajax_cancel_voucherbox-now-delivery.php:941

noprivwp_ajax_cancel_voucherbox-now-delivery.php:942

authwp_ajax_create_box_now_vouchersbox-now-delivery.php:1002

authwp_ajax_print_box_now_voucherbox-now-delivery.php:1033

noprivwp_ajax_print_box_now_voucherbox-now-delivery.php:1034

authwp_ajax_thankyou_php_boxnowbox-now-delivery.php:1228

noprivwp_ajax_thankyou_php_boxnowbox-now-delivery.php:1229

WordPress Hooks 35

actionwp_enqueue_scriptsbox-now-delivery.php:59

actionwoocommerce_blocks_checkout_enqueue_databox-now-delivery.php:102

filterwoocommerce_checkout_fieldsbox-now-delivery.php:123

actionwp_footerbox-now-delivery.php:140

actionwp_footerbox-now-delivery.php:160

actionwoocommerce_admin_order_data_after_billing_addressbox-now-delivery.php:163

actionwoocommerce_process_shop_order_metabox-now-delivery.php:281

actionwoocommerce_checkout_create_orderbox-now-delivery.php:329

actionwoocommerce_store_api_checkout_order_processedbox-now-delivery.php:331

actionwoocommerce_store_api_checkout_update_order_from_requestbox-now-delivery.php:377

actionadmin_noticesbox-now-delivery.php:392

filterwoocommerce_gateway_titlebox-now-delivery.php:398

actionwoocommerce_order_status_completedbox-now-delivery.php:419

actionwoocommerce_review_order_before_paymentbox-now-delivery.php:784

actionwoocommerce_admin_order_data_after_shipping_addressbox-now-delivery.php:878

actionadmin_enqueue_scriptsbox-now-delivery.php:891

actionadmin_footerbox-now-delivery.php:1073

actionadmin_enqueue_scriptsbox-now-delivery.php:1075

actionwoocommerce_thankyoubox-now-delivery.php:1111

actionwp_enqueue_scriptsbox-now-delivery.php:1279

actionadmin_enqueue_scriptsincludes\box-now-delivery-admin-page.php:28

actionadmin_menuincludes\box-now-delivery-admin-page.php:214

actionadmin_initincludes\box-now-delivery-admin-page.php:215

actionadmin_enqueue_scriptsincludes\box-now-delivery-admin-page.php:227

actionadmin_enqueue_scriptsincludes\box-now-delivery-admin-page.php:235

actioninitincludes\box-now-delivery-cancel-order.php:4

filterwoocommerce_admin_order_actionsincludes\box-now-delivery-cancel-order.php:7

actionadmin_headincludes\box-now-delivery-cancel-order.php:8

actionwoocommerce_order_status_changedincludes\box-now-delivery-cancel-order.php:10

actiontransition_post_statusincludes\box-now-delivery-cancel-order.php:11

actionplugins_loadedincludes\box-now-delivery-shipping-method.php:10

filterwoocommerce_gateway_descriptionincludes\box-now-delivery-shipping-method.php:280

actionwoocommerce_review_order_before_paymentincludes\box-now-delivery-shipping-method.php:326

filterwoocommerce_shipping_methodsincludes\box-now-delivery-shipping-method.php:339

actionadmin_post_boxnow-settings-saveincludes\box-now-delivery-validation.php:7

Maintenance & Trust

BOX NOW Delivery Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedDec 3, 2025

PHP min version7.0

Downloads44K

Community Trust

Rating48/100

Number of ratings16

Active installs5K

Alternatives

BOX NOW Delivery Alternatives

BOX NOW Delivery Croatia

box-now-delivery-croatia

100

BOX NOW the future of parcel delivery.

700 No CVEs

SMTP2GO for WordPress – Email Made Easy

smtp2go

Resolve email delivery issues, increase inbox placement, track sent email, get 24/7 support, and real-time reporting.

30K 2 CVEs

Smart COD for WooCommerce

wc-smart-cod

100

All the COD restrictions and extra fees you'll ever need, in a single plugin.

30K No CVEs

Claudio Sanches – Correios for WooCommerce

woocommerce-correios

Integration between the Correios and WooCommerce

30K No CVEs

Print Invoice & Delivery Notes for WooCommerce

woocommerce-delivery-notes

Create and print PDF invoices, delivery notes and receipts for your WooCommerce orders. Choose your document format from multiple templates.

30K 9 CVEs

Developer Profile

BOX NOW Delivery Developer Profile

boxnow

1 plugin · 5K total installs

trust score

Avg Security Score

78/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect BOX NOW Delivery

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/box-now-delivery/js/box-now-delivery.js/wp-content/plugins/box-now-delivery/css/box-now-delivery.css/wp-content/plugins/box-now-delivery/js/box-now-delivery-blocks.js

Script Paths

/wp-content/plugins/box-now-delivery/js/box-now-delivery.js/wp-content/plugins/box-now-delivery/js/box-now-delivery-blocks.js

HTML / DOM Fingerprints

CSS Classes

boxnow-form-row-hiddenboxnow-locker-id-field

Data Attributes

data-boxnow-partner-iddata-boxnow-embedded-iframedata-boxnow-display-modedata-boxnow-button-colordata-boxnow-button-textdata-boxnow-locker-not-selected-message+3 more

JS Globals

boxNowDeliverySettings

FAQ