WP-Safety

Cities Shipping Zones for WooCommerce Security & Risk Analysis

wordpress.org/plugins/cities-shipping-zones-for-woocommerce

WooCommerce plugin for turning the state field into a dropdown city field. To be used as Shipping Zones.

4K active installs v1.3.1 PHP 7.0+ WP 5.2+ Updated Dec 23, 2025
citydropdownshipping-methodshipping-zone
98
A · Safe
CVEs total1
Unpatched0
Last CVESep 25, 2024
Plugin page Download
Safety Verdict

Is Cities Shipping Zones for WooCommerce Safe to Use in 2026?

Generally Safe

Score 98/100

Cities Shipping Zones for WooCommerce has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Sep 25, 2024Updated 3mo ago
Risk Assessment

The "cities-shipping-zones-for-woocommerce" plugin exhibits a mixed security posture. On the positive side, it demonstrates good practices by using prepared statements for all SQL queries and avoiding dangerous functions, file operations, and external HTTP requests. However, significant concerns arise from its attack surface and lack of robust input validation. Two out of three entry points, specifically AJAX handlers, lack authentication checks, making them prime targets for unauthorized actions.

The static analysis reveals a limited output escaping percentage (10%), indicating a potential for Cross-Site Scripting (XSS) vulnerabilities if user-supplied data is not properly handled before being displayed. The absence of nonce checks on AJAX handlers further exacerbates this risk, as it allows for Cross-Site Request Forgery (CSRF) attacks. Taint analysis showed no critical or high severity flows, which is positive, but this is in the context of zero total flows analyzed, suggesting limited depth in this analysis.

The plugin's vulnerability history includes one high-severity CVE related to Improper Control of Filename for Include/Require Statement (PHP Remote File Inclusion). While currently unpatched, the fact that the last vulnerability was in 2024 suggests a recent security concern that needs attention. The presence of this specific vulnerability type indicates a historical weakness in how the plugin handles file operations or user-supplied input that could influence file paths. While the current version has no unpatched CVEs, the past RFI vulnerability is a strong indicator of past insecure coding practices.

Key Concerns

  • AJAX handlers without authentication
  • Low percentage of properly escaped output
  • Missing nonce checks on AJAX handlers
  • Past high severity CVE (PHP RFI)
Vulnerabilities
1

Cities Shipping Zones for WooCommerce Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

High
1

1 total CVE

CVE-2024-47309high · 7.2Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Cities Shipping Zones for WooCommerce <= 1.2.7 - Authenticated (Shop Manager+) Local File Inclusion

Sep 25, 2024 Patched in 1.2.8 (8d)
Code Analysis
Analyzed Mar 16, 2026

Cities Shipping Zones for WooCommerce Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
18
2 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

10% escaped20 total outputs
Attack Surface
2 unprotected

Cities Shipping Zones for WooCommerce Attack Surface

Entry Points3
Unprotected2

AJAX Handlers 2

authwp_ajax_csz_match_shipping_zonecities-shipping-zones-for-woocommerce.php:90
noprivwp_ajax_csz_match_shipping_zonecities-shipping-zones-for-woocommerce.php:91

Shortcodes 1

[csz_cities] cities-shipping-zones-for-woocommerce.php:89
WordPress Hooks 41
actionbefore_woocommerce_initcities-shipping-zones-for-woocommerce.php:43
actionplugins_loadedcities-shipping-zones-for-woocommerce.php:48
filterplugin_row_metacities-shipping-zones-for-woocommerce.php:80
filterwoocommerce_settings_tabs_arraycities-shipping-zones-for-woocommerce.php:81
actionwoocommerce_settings_tabs_cszcities-shipping-zones-for-woocommerce.php:82
actionwoocommerce_update_options_cszcities-shipping-zones-for-woocommerce.php:83
filterwoocommerce_admin_settings_sanitize_option_wc_csz_countries_codescities-shipping-zones-for-woocommerce.php:84
filterwoocommerce_admin_settings_sanitize_option_wc_csz_populate_statecities-shipping-zones-for-woocommerce.php:85
filterwoocommerce_admin_settings_sanitize_option_wc_csz_new_state_fieldcities-shipping-zones-for-woocommerce.php:86
filterwoocommerce_admin_settings_sanitize_option_wc_csz_shipping_distance_feecities-shipping-zones-for-woocommerce.php:87
filterwoocommerce_admin_settings_sanitize_option_wc_csz_set_zone_locationscities-shipping-zones-for-woocommerce.php:88
filterwoocommerce_should_load_paypal_standardcities-shipping-zones-for-woocommerce.php:92
filterwoocommerce_statescities-shipping-zones-for-woocommerce.php:99
actionwoocommerce_checkout_create_ordercities-shipping-zones-for-woocommerce.php:106
actionwoocommerce_customer_save_addresscities-shipping-zones-for-woocommerce.php:107
filterwoocommerce_customer_meta_fieldscities-shipping-zones-for-woocommerce.php:114
filterwoocommerce_customer_taxable_addresscities-shipping-zones-for-woocommerce.php:115
filterwoocommerce_localisation_address_formatscities-shipping-zones-for-woocommerce.php:116
filterwoocommerce_shipping_calculator_enable_citycities-shipping-zones-for-woocommerce.php:117
filterwoocommerce_shipping_calculator_enable_postcodecities-shipping-zones-for-woocommerce.php:118
filterwoocommerce_customer_default_locationcities-shipping-zones-for-woocommerce.php:119
filterwoocommerce_get_country_localecities-shipping-zones-for-woocommerce.php:120
filterwoocommerce_shipping_calculator_enable_statecities-shipping-zones-for-woocommerce.php:122
filterwoocommerce_default_address_fieldscities-shipping-zones-for-woocommerce.php:123
actionwoocommerce_after_checkout_formcities-shipping-zones-for-woocommerce.php:124
actionwoocommerce_account_navigationcities-shipping-zones-for-woocommerce.php:125
filterwooccm_billing_fieldscities-shipping-zones-for-woocommerce.php:126
filterwooccm_shipping_fieldscities-shipping-zones-for-woocommerce.php:127
filterwoocommerce_shipping_calculator_enable_statecities-shipping-zones-for-woocommerce.php:130
filterwoocommerce_checkout_fieldscities-shipping-zones-for-woocommerce.php:131
actionwoocommerce_after_checkout_validationcities-shipping-zones-for-woocommerce.php:132
filterwoocommerce_admin_reportscities-shipping-zones-for-woocommerce.php:140
filtermanage_edit-shop_order_columnscities-shipping-zones-for-woocommerce.php:141
actionmanage_shop_order_posts_custom_columncities-shipping-zones-for-woocommerce.php:142
filtermanage_edit-shop_order_sortable_columnscities-shipping-zones-for-woocommerce.php:143
actionpre_get_postscities-shipping-zones-for-woocommerce.php:144
filterwoocommerce_shop_order_search_fieldscities-shipping-zones-for-woocommerce.php:145
filterwoocommerce_shipping_instance_form_fields_flat_ratecities-shipping-zones-for-woocommerce.php:152
filterwoocommerce_package_ratescities-shipping-zones-for-woocommerce.php:153
actionwp_footercities-shipping-zones-for-woocommerce.php:564
actionwp_footercities-shipping-zones-for-woocommerce.php:571
Maintenance & Trust

Cities Shipping Zones for WooCommerce Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 23, 2025
PHP min version7.0
Downloads85K

Community Trust

Rating98/100
Number of ratings18
Active installs4K
Alternatives

Cities Shipping Zones for WooCommerce Alternatives

Shipping Manager For WooCommerce

Shipping Manager For WooCommerce

shipping-manager-for-woocommerce

A
100

Easily add custom cities with rates, convert city to dropdown, create WooCommerce shipping zones (Pro), hide checkout fields, rename labels

40 No CVEs
WC City Select

WC City Select

wc-city-select

A
92

City Select for WooCommerce. Show a dropdown select as the cities input.

3K No CVEs
RY City Select for WooCommerce

RY City Select for WooCommerce

ry-wc-city-select

A
100

Show a dropdown select as the cities input on WooCommerce. Auto set the postcode for selected city.

2K No CVEs
Add Region by Country for WooCommerce

Add Region by Country for WooCommerce

add-region-by-country-for-woocommerce

A
92

Add Region by Country WooCommerce Add-on plug-in.

100 No CVEs
PiWeb Shipping method dropdown for WooCommerce

PiWeb Shipping method dropdown for WooCommerce

shipping-method-dropdown-for-woocommerce

A
100

Shipping method display Style for WooCommerce lets you create a shipping method dropdown, customize the shipping method display style, and sort shippi &hellip;

100 No CVEs
Developer Profile

Cities Shipping Zones for WooCommerce Developer Profile

Condless

7 plugins · 10K total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
8 days
View full developer profile
Detection Fingerprints

How We Detect Cities Shipping Zones for WooCommerce

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/cities-shipping-zones-for-woocommerce/assets/css/backend.css/wp-content/plugins/cities-shipping-zones-for-woocommerce/assets/css/frontend.css/wp-content/plugins/cities-shipping-zones-for-woocommerce/assets/js/backend.js/wp-content/plugins/cities-shipping-zones-for-woocommerce/assets/js/frontend.js
Script Paths
/wp-content/plugins/cities-shipping-zones-for-woocommerce/assets/js/backend.js/wp-content/plugins/cities-shipping-zones-for-woocommerce/assets/js/frontend.js
Version Parameters
cities-shipping-zones-for-woocommerce/assets/css/backend.css?ver=cities-shipping-zones-for-woocommerce/assets/css/frontend.css?ver=cities-shipping-zones-for-woocommerce/assets/js/backend.js?ver=cities-shipping-zones-for-woocommerce/assets/js/frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes
csz-billing-citycsz-shipping-citywc_csz_field
HTML Comments
<!-- Cities Shipping Zones for WooCommerce --><!-- WC CSZ Settings --><!-- WC CSZ General Settings --><!-- WC CSZ Shipping Methods Settings -->
Data Attributes
data-csz-countrydata-csz-statedata-csz-citydata-csz-populate-statedata-csz-new-state-fielddata-csz-shipping-distance-fee+1 more
JS Globals
csz_ajax_object
REST Endpoints
/wp-json/csz/v1/locations
Shortcode Output
[csz_cities]
FAQ

Frequently Asked Questions about Cities Shipping Zones for WooCommerce