WP-Safety

Яндекс Доставка (Boxberry) Security & Risk Analysis

wordpress.org/plugins/boxberry

Удобный плагин для интеграции с Яндекс Доставкой (Boxberry): расчет стоимости и сроков доставки, выбор ПВЗ, выгрузка заказов, печать этикеток и актов.

700 active installs v2.34 PHP 5.4+ WP 4.9+ Updated Jan 22, 2026
%d1%8f%d0%bd%d0%b4%d0%b5%d0%ba%d1%81%d0%b4%d0%be%d1%81%d1%82%d0%b0%d0%b2%d0%ba%d0%b0%d0%bc%d0%be%d0%b4%d1%83%d0%bb%d1%8c%d0%bf%d0%bb%d0%b0%d0%b3%d0%b8%d0%bdwoocommerce
78
B · Generally Safe
CVEs total1
Unpatched1
Last CVEOct 28, 2025
Download
Safety Verdict

Is Яндекс Доставка (Boxberry) Safe to Use in 2026?

Mostly Safe

Score 78/100

Яндекс Доставка (Boxberry) is generally safe to use. 1 past CVE were resolved. Keep it updated.

1 known CVE 1 unpatched Last CVE: Oct 28, 2025Updated 2mo ago
Risk Assessment

The Boxberry plugin v2.34 exhibits a concerning security posture, largely due to a significant number of unprotected AJAX handlers. While the plugin demonstrates good practices in other areas, such as a high percentage of prepared SQL statements and properly escaped output, the presence of 7 unprotected AJAX entry points creates a substantial attack surface. The static analysis also flags the use of the dangerous `unserialize` function, which, if combined with user-controlled input, could lead to serious vulnerabilities like Remote Code Execution. The vulnerability history, with one unpatched medium severity CVE related to missing authorization, further highlights this weakness and suggests a recurring issue with access control. Although there are no critical or high severity taint flows identified, the combination of unprotected entry points, the dangerous function, and past authorization issues warrants significant caution.

Key Concerns

  • Unprotected AJAX handlers
  • Use of dangerous function (unserialize)
  • Unpatched medium severity CVE
  • Missing capability checks on AJAX
Vulnerabilities
1

Яндекс Доставка (Boxberry) Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-62086medium · 4.3Missing Authorization

Яндекс Доставка (Boxberry) <= 2.32 - Missing Authorization

Oct 28, 2025Unpatched
Code Analysis
Analyzed Mar 16, 2026

Яндекс Доставка (Boxberry) Code Analysis

Dangerous Functions
1
Raw SQL Queries
3
17 prepared
Unescaped Output
8
64 escaped
Nonce Checks
1
Capability Checks
0
File Operations
0
External Requests
3
Bundled Libraries
0

Dangerous Functions Found

unserialize$this->_container = unserialize($data);Boxberry\src\Collections\Collection.php:128

SQL Query Safety

85% prepared20 total queries

Output Escaping

89% escaped72 total outputs
Data Flows
All sanitized

Data Flow Analysis

2 flows
boxberry_admin_reception_point_search_callback (boxberry-for-woocommerce.php:2409)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
7 unprotected

Яндекс Доставка (Boxberry) Attack Surface

Entry Points9
Unprotected7

AJAX Handlers 9

authwp_ajax_boxberry_update_widget_databoxberry-for-woocommerce.php:1896
noprivwp_ajax_boxberry_update_widget_databoxberry-for-woocommerce.php:1897
authwp_ajax_boxberry_updateboxberry-for-woocommerce.php:2082
noprivwp_ajax_boxberry_updateboxberry-for-woocommerce.php:2083
authwp_ajax_boxberry_admin_updateboxberry-for-woocommerce.php:2444
authwp_ajax_boxberry_admin_reception_point_updateboxberry-for-woocommerce.php:2445
authwp_ajax_boxberry_admin_check_api_keyboxberry-for-woocommerce.php:2446
authwp_ajax_boxberry_admin_company_api_settingsboxberry-for-woocommerce.php:2447
authwp_ajax_boxberry_admin_reception_point_searchboxberry-for-woocommerce.php:2448
WordPress Hooks 19
actionplugins_loadedboxberry-for-woocommerce.php:24
actionadmin_noticesboxberry-for-woocommerce.php:34
actionplugins_loadedboxberry-for-woocommerce.php:47
actionboxberry_update_data_eventboxberry-for-woocommerce.php:87
actionwoocommerce_shipping_initboxberry-for-woocommerce.php:894
filterwoocommerce_shipping_methodsboxberry-for-woocommerce.php:906
actionadd_meta_boxesboxberry-for-woocommerce.php:938
actionwoocommerce_checkout_update_order_reviewboxberry-for-woocommerce.php:949
actionwoocommerce_process_shop_order_metaboxberry-for-woocommerce.php:1135
actionwoocommerce_after_shipping_rateboxberry-for-woocommerce.php:1704
actionwp_enqueue_scriptsboxberry-for-woocommerce.php:1973
actionadmin_enqueue_scriptsboxberry-for-woocommerce.php:1994
actionwoocommerce_store_api_checkout_order_processedboxberry-for-woocommerce.php:2013
filterrest_pre_dispatchboxberry-for-woocommerce.php:2047
actionwoocommerce_new_orderboxberry-for-woocommerce.php:2074
actionwp_headboxberry-for-woocommerce.php:2461
actionadmin_headboxberry-for-woocommerce.php:2474
actionwoocommerce_order_status_changedboxberry-for-woocommerce.php:2490
actionwoocommerce_after_checkout_validationboxberry-for-woocommerce.php:2514

Scheduled Events 2

boxberry_update_data_event
boxberry_update_data_event
Maintenance & Trust

Яндекс Доставка (Boxberry) Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 22, 2026
PHP min version5.4
Downloads24K

Community Trust

Rating60/100
Number of ratings1
Active installs700
Alternatives

Яндекс Доставка (Boxberry) Alternatives

Калькулятор стоимости доставки СДЭК для WooCommerce

Калькулятор стоимости доставки СДЭК для WooCommerce

cdek-delivery-calculator

A
85

Расчет стоимости доставки товара транспортной компанией СДЭК. Разработка и поддержка — компания Mint Studio

30 No CVEs
SafeRoute WooCommerce

SafeRoute WooCommerce

saferoute-woocommerce

A
92

Плагин для быстрой интеграции виджета доставки SafeRoute в магазины на основе WooCommerce.

60 No CVEs
DDelivery WooCommerce

DDelivery WooCommerce

ddelivery-woocommerce

A
85

Модуль для быстрой интеграции виджета DDelivery в магазин на основе WooCommerce. https://ddelivery.ru/

10 No CVEs
Datamap Address for Woocommerce

Datamap Address for Woocommerce

datamap-address-for-woo

A
100

Този модул за WooCommerce добавя интелигентна функционалност за автоматично разпознаване и потвърждение на адреси при финализиране на поръчката.

0 No CVEs
Essential Addons for Elementor – Popular Elementor Templates & Widgets

Essential Addons for Elementor – Popular Elementor Templates & Widgets

essential-addons-for-elementor-lite

B
76

Elementor addon offering 110+ widgets and templates — Elementor Gallery, Slider, Form, Post Grid, Menu, Accordion, WooCommerce & more.

2.0M 56 CVEs
Developer Profile

Яндекс Доставка (Boxberry) Developer Profile

akazanstev

1 plugin · 700 total installs

79
trust score
Avg Security Score
78/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Яндекс Доставка (Boxberry)

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/boxberry/assets/js/boxberry-delivery-widget.js/wp-content/plugins/boxberry/assets/css/boxberry-delivery-widget.css/wp-content/plugins/boxberry/assets/js/backend-script.js/wp-content/plugins/boxberry/assets/css/backend-style.css
Generator Patterns
Boxberry
Script Paths
//points.boxberry.ru/js/boxberry.js
Version Parameters
boxberry/assets/js/boxberry-delivery-widget.js?ver=boxberry/assets/css/boxberry-delivery-widget.css?ver=boxberry/assets/js/backend-script.js?ver=boxberry/assets/css/backend-style.css?ver=

HTML / DOM Fingerprints

CSS Classes
boxberry-delivery-widgetboxberry-widget-point-addressboxberry-widget-point-nameboxberry-widget-point-scheduleboxberry-widget-point-phone
HTML Comments
<!-- Boxberry for WooCommerce -->
Data Attributes
data-boxberry-api-keydata-boxberry-default-citydata-boxberry-default-pointdata-boxberry-is-shippingdata-boxberry-widget-urldata-boxberry-api-url
JS Globals
boxberryDeliveryWidgetjQuery(document).ready(function($){boxberryWidgetInit();});
REST Endpoints
/wp-json/boxberry/v1/cities/wp-json/boxberry/v1/points
Shortcode Output
[boxberry_cities][boxberry_points]
FAQ

Frequently Asked Questions about Яндекс Доставка (Boxberry)