WP-Safety

Cargus Security & Risk Analysis

wordpress.org/plugins/cargus

Use Cargus delivery methods to ship and deliver your orders.

600 active installs v1.5.9 PHP 7.4+ WP 5.0+ Updated Mar 11, 2026
carte-commerceshopstorewoocommerce
78
B · Generally Safe
CVEs total1
Unpatched1
Last CVEJan 17, 2026
Plugin page Download
Safety Verdict

Is Cargus Safe to Use in 2026?

Mostly Safe

Score 78/100

Cargus is generally safe to use. 1 past CVE were resolved. Keep it updated.

1 known CVE 1 unpatched Last CVE: Jan 17, 2026Updated 23d ago
Risk Assessment

The 'cargus' plugin v1.5.9 exhibits a mixed security posture. On the positive side, it demonstrates strong practices regarding SQL query handling, exclusively using prepared statements, and shows a good percentage of properly escaped outputs. The presence of nonce and capability checks, albeit limited, is also a positive sign. However, significant concerns arise from its attack surface. With 16 AJAX handlers, a substantial 12 of them lack authentication checks, creating a large entry point for unauthorized access and potential exploitation. The code analysis also flags 18 instances of dangerous function usage, specifically `unserialize`, which is notorious for enabling object injection vulnerabilities if not handled with extreme caution and proper validation.

The taint analysis reveals 2 flows with unsanitized paths, indicating potential vulnerabilities where user-supplied data could be manipulated to affect program execution or data integrity, though no critical or high severity flows were identified. The vulnerability history reveals a past exposure of sensitive information to an unauthorized actor, marked by a medium severity CVE. The fact that one CVE remains unpatched is a critical concern, as it leaves existing installations vulnerable to known exploits.

In conclusion, while 'cargus' has some commendable security practices, the unauthenticated AJAX handlers and the presence of `unserialize` are significant risk factors. Combined with the unpatched CVE, the plugin presents a tangible threat that requires immediate attention. Further investigation into the specific use of `unserialize` and the nature of the unsanitized taint flows is highly recommended.

Key Concerns

  • Unauthenticated AJAX handlers
  • Dangerous function usage: unserialize
  • Unpatched CVE
  • Flows with unsanitized paths
  • Insufficient nonce checks
  • Insufficient capability checks
  • Bundled outdated library: jQuery
  • Bundled outdated library: Lodash
Vulnerabilities
1

Cargus Security Vulnerabilities

CVEs by Year

1 CVE in 2026 · unpatched
2026
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2026-24589medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Cargus <= 1.5.8 - Unauthenticated Information Exposure

Jan 17, 2026Unpatched
Code Analysis
Analyzed Mar 16, 2026

Cargus Code Analysis

Dangerous Functions
18
Raw SQL Queries
0
0 prepared
Unescaped Output
24
146 escaped
Nonce Checks
15
Capability Checks
6
File Operations
28
External Requests
8
Bundled Libraries
2

Dangerous Functions Found

unserialize$total_weight += unserialize( get_post_meta( $order_id, 'cargus_greutate_colet', true ) )[ $i ];admin\class-cargus-admin.php:1142
unserialize$fields['ParcelCodes'][ $i ]['Weight'] = unserialize( get_post_meta( $order_id, 'cargus_greutate_coladmin\class-cargus-admin.php:1150
unserialize$fields['ParcelCodes'][ $i ]['Length'] = unserialize( get_post_meta( $order_id, 'cargus_lungime_coleadmin\class-cargus-admin.php:1154
unserialize$fields['ParcelCodes'][ $i ]['Width'] = unserialize( get_post_meta( $order_id, 'cargus_latime_colet'admin\class-cargus-admin.php:1157
unserialize$fields['ParcelCodes'][ $i ]['Height'] = unserialize( get_post_meta( $order_id, 'cargus_inaltime_coladmin\class-cargus-admin.php:1160
unserializeforeach ( unserialize( get_post_meta( $order_id, 'cargus_continut_colet', true ) )[ $i ] as $productadmin\class-cargus-admin.php:1164
unserializeself::$instance = unserialize( $_SESSION['cargus_api_instance'] );admin\class-cargus-api.php:177
unserialize$instance = unserialize( $_SESSION['cargus_api_instance'] );admin\class-cargus-api.php:205
unserialize$instance = unserialize( $_SESSION['cargus_api_instance'] );admin\class-cargus-api.php:246
unserialize$instance = unserialize( $_SESSION['cargus_api_instance'] );admin\class-cargus-api.php:655
unserialize$value = get_post_meta( $post->ID, $field['name'], true ) != '' ? esc_attr( unserialize( get_post_meadmin\class-cargus-metaboxes.php:227
unserialize$value = get_post_meta( $post->ID, $field['name'], true ) != '' ? esc_attr( unserialize( get_post_meadmin\class-cargus-metaboxes.php:258
unserialize$value = get_post_meta( $post->ID, $field['name'], true ) != '' ? esc_attr( unserialize( get_post_meadmin\class-cargus-metaboxes.php:292
unserialize$value = get_post_meta( $post->ID, $field['name'], true ) != '' ? esc_attr( unserialize( get_post_meadmin\class-cargus-metaboxes.php:325
unserialize$value = get_post_meta( $post->ID, $field['name'], true ) != '' ? unserialize( get_post_meta( $post-admin\class-cargus-metaboxes.php:354
unserialize$shipping_cost_array = unserialize( get_option( 'woocommerce_cargus_weight_based_shipping' ) );admin\class-cargus-shipping-method.php:646
unserializeforeach ( unserialize( get_option( 'woocommerce_cargus_weight_based_shipping' ) ) as $pair ) {admin\class-cargus-shipping-method.php:655
unserialize$value = unserialize( get_option( $field_key, $data['default'] ) );admin\class-cargus-shipping-method.php:847

Bundled Libraries

jQuery3.6.0Lodash

Output Escaping

86% escaped170 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

4 flows2 with unsanitized paths
process_admin_options (admin\class-cargus-shipping-method.php:146)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
12 unprotected

Cargus Attack Surface

Entry Points16
Unprotected12

AJAX Handlers 16

authwp_ajax_cargus_download_logcargus.php:57
authwp_ajax_cargus_delete_logcargus.php:58
authwp_ajax_cargus_delete_specific_filecargus.php:111
authwp_ajax_cargus_delete_multiple_filescargus.php:113
authwp_ajax_cargus_get_location_idincludes\class-cargus.php:205
noprivwp_ajax_cargus_get_location_idincludes\class-cargus.php:206
authwp_ajax_cargus_get_regionsincludes\class-cargus.php:247
noprivwp_ajax_cargus_get_regionsincludes\class-cargus.php:248
authwp_ajax_cargus_get_regions_intl_bulgariaincludes\class-cargus.php:250
noprivwp_ajax_cargus_get_regions_intl_bulgariaincludes\class-cargus.php:251
authwp_ajax_get_cargus_bulgaria_zipCodeincludes\class-cargus.php:254
noprivwp_ajax_get_cargus_bulgaria_zipCodeincludes\class-cargus.php:255
authwp_ajax_cargus_get_streetsincludes\class-cargus.php:257
noprivwp_ajax_cargus_get_streetsincludes\class-cargus.php:258
authwp_ajax_cargus_pre_deliveryincludes\class-cargus.php:308
noprivwp_ajax_cargus_pre_deliveryincludes\class-cargus.php:309
WordPress Hooks 90
actionwp_loadedadmin\class-cargus-admin.php:73
actionadmin_noticesadmin\class-cargus-admin.php:941
filterwoocommerce_package_ratesadmin\class-cargus-admin.php:2285
filterwoocommerce_package_ratesadmin\class-cargus-admin.php:2306
filterwoocommerce_package_ratesadmin\class-cargus-admin.php:2324
actionadmin_noticesadmin\class-cargus-cron.php:142
actionadmin_noticesadmin\class-cargus-export-shipping-method.php:132
actionadmin_noticesadmin\class-cargus-export-shipping-method.php:135
actionadmin_noticesadmin\class-cargus-export-shipping-method.php:138
actionadmin_noticesadmin\class-cargus-export-shipping-method.php:141
actionadd_meta_boxesadmin\class-cargus-metaboxes.php:71
actionsave_postadmin\class-cargus-metaboxes.php:72
actionadmin_headadmin\class-cargus-metaboxes.php:73
filterwoocommerce_payment_complete_order_statusadmin\class-cargus-ship-and-go-payment.php:69
actionwoocommerce_email_before_order_tableadmin\class-cargus-ship-and-go-payment.php:72
actionadmin_noticesadmin\class-cargus-shipping-method.php:163
actionadmin_noticesadmin\class-cargus-shipping-method.php:166
actionadmin_noticesadmin\class-cargus-shipping-method.php:169
actionadmin_noticesadmin\class-cargus-shipping-method.php:172
actionadmin_noticesadmin\class-cargus-shipping-method.php:177
actionadmin_menucargus.php:53
actionadmin_initcargus.php:56
actionadmin_noticescargus.php:358
actionadmin_initcargus.php:431
actionplugins_loadedincludes\class-cargus.php:147
actioninitincludes\class-cargus.php:164
actionadmin_enqueue_scriptsincludes\class-cargus.php:167
actionwoocommerce_shipping_initincludes\class-cargus.php:170
actionwoocommerce_shipping_methodsincludes\class-cargus.php:171
actionwoocommerce_shipping_initincludes\class-cargus.php:174
actionwoocommerce_shipping_methodsincludes\class-cargus.php:175
actionwoocommerce_shipping_initincludes\class-cargus.php:178
filterwoocommerce_shipping_methodsincludes\class-cargus.php:179
actionwoocommerce_after_checkout_validationincludes\class-cargus.php:180
actionwoocommerce_shipping_initincludes\class-cargus.php:183
actionwoocommerce_shipping_methodsincludes\class-cargus.php:184
actionwoocommerce_shipping_initincludes\class-cargus.php:187
actionwoocommerce_shipping_methodsincludes\class-cargus.php:188
actionwoocommerce_shipping_initincludes\class-cargus.php:191
actionwoocommerce_shipping_methodsincludes\class-cargus.php:192
actionplugins_loadedincludes\class-cargus.php:195
filterwoocommerce_payment_gatewaysincludes\class-cargus.php:196
actionwoocommerce_checkout_processincludes\class-cargus.php:197
actionwoocommerce_checkout_update_order_metaincludes\class-cargus.php:198
actionwoocommerce_admin_order_data_after_billing_addressincludes\class-cargus.php:199
actionwoocommerce_checkout_create_orderincludes\class-cargus.php:202
filterbulk_actions-edit-shop_orderincludes\class-cargus.php:209
filterhandle_bulk_actions-edit-shop_orderincludes\class-cargus.php:210
actionadmin_noticesincludes\class-cargus.php:211
filterhandle_bulk_actions-edit-shop_orderincludes\class-cargus.php:212
actionadmin_noticesincludes\class-cargus.php:213
filterhandle_bulk_actions-edit-shop_orderincludes\class-cargus.php:214
actionadmin_noticesincludes\class-cargus.php:215
actionadmin_initincludes\class-cargus.php:218
actionsave_postincludes\class-cargus.php:219
actionadmin_initincludes\class-cargus.php:222
actionadmin_initincludes\class-cargus.php:223
actionwoocommerce_package_ratesincludes\class-cargus.php:226
actionwoocommerce_checkout_update_order_reviewincludes\class-cargus.php:227
actionwp_enqueue_scriptsincludes\class-cargus.php:243
actionwp_enqueue_scriptsincludes\class-cargus.php:244
actionwoocommerce_cart_totals_before_order_totalincludes\class-cargus.php:261
actionwoocommerce_review_order_before_order_totalincludes\class-cargus.php:262
actionwp_footerincludes\class-cargus.php:265
actionwoocommerce_after_order_notesincludes\class-cargus.php:268
actionwoocommerce_email_after_order_tableincludes\class-cargus.php:271
actionwoocommerce_email_order_detailsincludes\class-cargus.php:274
actionwoocommerce_thankyouincludes\class-cargus.php:277
actionwoocommerce_email_order_detailsincludes\class-cargus.php:280
filterwoocommerce_default_address_fieldsincludes\class-cargus.php:283
filterwoocommerce_checkout_fieldsincludes\class-cargus.php:284
filterwoocommerce_save_account_detailsincludes\class-cargus.php:285
filterwoocommerce_billing_fieldsincludes\class-cargus.php:286
filterwoocommerce_shipping_fieldsincludes\class-cargus.php:287
filterwoocommerce_checkout_update_order_reviewincludes\class-cargus.php:288
filterwoocommerce_available_payment_gatewaysincludes\class-cargus.php:291
filterdefault_checkout_billing_stateincludes\class-cargus.php:294
filterdefault_checkout_shipping_stateincludes\class-cargus.php:295
actionwoocommerce_view_orderincludes\class-cargus.php:298
actionwoocommerce_view_orderincludes\class-cargus.php:299
actionwoocommerce_view_orderincludes\class-cargus.php:300
actionwoocommerce_view_orderincludes\class-cargus.php:301
actionadmin_initincludes\class-cargus.php:323
actioncargus_get_ship_and_go_locationsincludes\class-cargus.php:326
actioncargus_get_ship_and_go_locations_initial_syncincludes\class-cargus.php:327
actioncargus_get_counties_initial_syncincludes\class-cargus.php:330
actioncargus_get_countries_initial_syncincludes\class-cargus.php:333
actionadmin_initincludes\class-cargus.php:336
actioncargus_refresh_login_token_actionincludes\class-cargus.php:337
actionwp_loadedpublic\class-cargus-public.php:63

Scheduled Events 5

cargus_get_ship_and_go_locations_initial_sync
cargus_get_counties_initial_sync
cargus_get_countries_initial_sync
cargus_get_ship_and_go_locations
cargus_refresh_login_token_action
Maintenance & Trust

Cargus Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 11, 2026
PHP min version7.4
Downloads13K

Community Trust

Rating40/100
Number of ratings4
Active installs600
Alternatives

Cargus Alternatives

Recently Viewed Product for WooCommerce

Recently Viewed Product for WooCommerce

recently-viewed-products-for-woocommerce

A
92

Recently Viewed Products for WooCommerce Listing page, you can easily add recently viewed product section by activate the plugin.

1K No CVEs
Swift Shop for WooCommerce – Get to WooCommerce checkout faster with a smooth and hassle-free experience

Swift Shop for WooCommerce – Get to WooCommerce checkout faster with a smooth and hassle-free experience

swift-shop-for-woocommerce

A
100

Short Description: Transform your WooCommerce store with Swift Shop, the fastest React JS based solution for smooth shopping and checkout experiences!

0 No CVEs
Ecwid by Lightspeed Ecommerce Shopping Cart

Ecwid by Lightspeed Ecommerce Shopping Cart

ecwid-shopping-cart

B
83

Powerful, easy to use ecommerce shopping cart for WordPress. Sell on Facebook and Instagram. iPhone & Android apps. Superb support.

20K 13 CVEs
Welcart e-Commerce

Welcart e-Commerce

usc-e-shop

D
40

Welcart is a free e-commerce plugin for Wordpress with top market share in Japan.

20K 1 unpatched
External Product New Tab for WooCommerce

External Product New Tab for WooCommerce

wc-external-product-new-tab

A
100

This plugin sets all external / affiliate product buy now links on a WooCommerce site to open in a new web browser tab.

4K No CVEs
Developer Profile

Cargus Developer Profile

Cargus eCommerce

1 plugin · 600 total installs

79
trust score
Avg Security Score
78/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Cargus

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/cargus/admin/css/cargus-debug-tool.css/wp-content/plugins/cargus/admin/js/cargus-debug-tool.js
Version Parameters
cargus/admin/css/cargus-debug-tool.css?ver=cargus/admin/js/cargus-debug-tool.js?ver=

HTML / DOM Fingerprints

CSS Classes
cargus-file-manager
Data Attributes
id="select-all-files"id="delete-selected-files"
JS Globals
window.cargusDebugTool
REST Endpoints
/wp-json/cargus/v1/some-endpoint
FAQ

Frequently Asked Questions about Cargus