WP-Safety

Carta Online Security & Risk Analysis

wordpress.org/plugins/carta-online

Use the Carta Online WordPress plugin to embed your offerings on your website.

40 active installs v2.15.1 PHP 7.4+ WP 4.2+ Updated Mar 18, 2026
aanbodcartacursusadministratieevenementpubliceren
78
B · Generally Safe
CVEs total1
Unpatched1
Last CVEMar 6, 2026
Plugin page Download
Safety Verdict

Is Carta Online Safe to Use in 2026?

Mostly Safe

Score 78/100

Carta Online is generally safe to use. 1 past CVE were resolved. Keep it updated.

1 known CVE 1 unpatched Last CVE: Mar 6, 2026Updated 23d ago
Risk Assessment

The "carta-online" plugin version 2.15.0 presents a mixed security posture. On the positive side, the static analysis reveals a strong adherence to secure coding practices. There are no dangerous function calls, all SQL queries are prepared, and a significant majority of output is properly escaped. The plugin also demonstrates good security hygiene by implementing nonce and capability checks on its entry points and avoiding the bundling of external libraries.

However, several concerns warrant attention. The taint analysis indicates that all six analyzed flows have unsanitized paths, although thankfully these are not categorized as critical or high severity. More significantly, the vulnerability history shows one known medium severity CVE which remains unpatched, specifically related to Cross-site Scripting. The last recorded vulnerability date suggests a potential for recurring issues in this area. The plugin also makes two external HTTP requests, which could be a vector for supply chain attacks or information leakage if not handled with extreme care.

In conclusion, while "carta-online" exhibits commendable secure coding practices like prepared statements and output escaping, the presence of an unpatched medium CVE and the taint analysis showing unsanitized paths are significant weaknesses. The past vulnerability type (XSS) and the unpatched status necessitate immediate attention to mitigate potential risks.

Key Concerns

  • Unpatched CVE (medium severity)
  • Unsanitized paths in all taint flows
  • External HTTP requests present
Vulnerabilities
1

Carta Online Security Vulnerabilities

CVEs by Year

1 CVE in 2026 · unpatched
2026
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2026-1071medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Carta Online <= 2.13.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings

Mar 6, 2026Unpatched
Version History

Carta Online Release Timeline

v2.13.01 CVE
CVE-2026-1071
v2.13.0-rc11 CVE
CVE-2026-1071
v2.12.31 CVE
CVE-2026-1071
v2.1.21 CVE
CVE-2026-1071
v2.1.11 CVE
CVE-2026-1071
v2.0.101 CVE
CVE-2026-1071
v2.0.91 CVE
CVE-2026-1071
v2.0.81 CVE
CVE-2026-1071
v2.0.71 CVE
CVE-2026-1071
v2.0.61 CVE
CVE-2026-1071
v2.0.41 CVE
CVE-2026-1071
v2.0.31 CVE
CVE-2026-1071
v1.0.11 CVE
CVE-2026-1071
Code Analysis
Analyzed Mar 16, 2026

Carta Online Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
59
287 escaped
Nonce Checks
3
Capability Checks
2
File Operations
0
External Requests
2
Bundled Libraries
0

Output Escaping

83% escaped346 total outputs
Data Flows
6 unsanitized

Data Flow Analysis

6 flows6 with unsanitized paths
html_form_code (includes\co_shortcode_qualification.php:24)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Carta Online Attack Surface

Entry Points11
Unprotected0

AJAX Handlers 2

noprivwp_ajax_co_filter_ajaxincludes\co_shortcode_filter.php:268
authwp_ajax_co_filter_ajaxincludes\co_shortcode_filter.php:269

Shortcodes 9

[co-offerlist] includes\co_shortcode.php:140
[co-companylist] includes\co_shortcode.php:164
[co-test] includes\co_shortcode.php:178
[co-check-html5] includes\co_shortcode.php:192
[co-teacher] includes\co_shortcode.php:206
[co-detail] includes\co_shortcode.php:220
[co-expertiselist] includes\co_shortcode.php:234
[co-form-check-qualification] includes\co_shortcode.php:248
[co-filter] includes\co_shortcode.php:262
WordPress Hooks 22
actionadmin_initcarta-online.php:24
actionwp_enqueue_scriptscarta-online.php:25
actionadmin_menucarta-online.php:26
actioninitcarta-online.php:30
actioninitcarta-online.php:32
actionadd_meta_boxescarta-online.php:33
actionsave_postcarta-online.php:34
actionadmin_noticescarta-online.php:35
actionwp_headcarta-online.php:37
actionadmin_headcarta-online.php:38
actionactivated_plugincarta-online.php:39
actionadmin_initcarta-online.php:40
actionrewrite_rules_arraycarta-online.php:655
actioninitcarta-online.php:676
filterquery_varscarta-online.php:683
actioninitincludes\co_api.php:533
filterdocument_title_partsincludes\co_custom_pages.php:326
actionwp_headincludes\co_custom_pages.php:327
actionwp_enqueue_scriptsincludes\co_shortcode_filter.php:241
actionwpincludes\co_shortcode_test.php:179
actionwp_headincludes\co_tracking.php:43
actionwidgets_initincludes\co_widget.php:15
Maintenance & Trust

Carta Online Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 18, 2026
PHP min version7.4
Downloads4K

Community Trust

Rating0/100
Number of ratings0
Active installs40
Alternatives

Carta Online Alternatives

Virtuaria PagBank / PagSeguro para Woocommerce

Virtuaria PagBank / PagSeguro para Woocommerce

virtuaria-pagseguro

A
99

Crédito, Pix e Boleto na sua loja virtual. Mais segurança, menos chargebacks com 3DS. Descontos nas taxas do PagBank.

1K 1 CVE
Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit

Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit

woo-rede

A
98

Payment Gateway for Rede Itaú for WooCommerce - PIX, Credit Card and Debit Cards.

1K 2 CVEs
ilGhera Carta Docente for WooCommerce

ilGhera Carta Docente for WooCommerce

wc-carta-docente

A
99

Abilita in WooCommerce il pagamento con Carta del Docente.

200 1 CVE
iPag Pagamentos Digitais

iPag Pagamentos Digitais

ipag-woocommerce

A
100

Facilite pagamentos online com segurança e rapidez, integrando sua loja ao nosso gateway e PSP.

100 No CVEs
Virtuaria Rede ( Itaú ) Pagamentos

Virtuaria Rede ( Itaú ) Pagamentos

virtuaria-eredeitau

A
100

Pagamentos via Pix e Cartão de Crédito na sua loja virtual com a confiabilidade da Rede / Itaú diretamente em seu WooCommerce.

60 No CVEs
Developer Profile

Carta Online Developer Profile

cartaonline

1 plugin · 40 total installs

79
trust score
Avg Security Score
78/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Carta Online

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/carta-online/css/style.css/wp-content/plugins/carta-online/images/admin_menu_icon.png
Version Parameters
carta-online/css/style.css?ver=

HTML / DOM Fingerprints

FAQ

Frequently Asked Questions about Carta Online