WP-Safety

CityCourier – Local Courier Booking & Tracking System Security & Risk Analysis

wordpress.org/plugins/citycourier-local-courier-booking-tracking-system

Courier booking form with Google Maps integration, distance-based pricing, delivery zones, map picker, and order tracking. Built for WooCommerce.

0 active installs v1.2.5 PHP 7.2+ WP 5.6+ Updated Nov 16, 2025
courierdeliveryorder-trackingshipping-calculatorwoocommerce
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Download
Safety Verdict

Is CityCourier – Local Courier Booking & Tracking System Safe to Use in 2026?

Generally Safe

Score 100/100

CityCourier – Local Courier Booking & Tracking System has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 4mo ago
Risk Assessment

The 'citycourier-local-courier-booking-tracking-system' plugin version 1.2.5 exhibits a mixed security posture. On the positive side, the plugin demonstrates good practices by utilizing prepared statements for all SQL queries and includes a substantial number of nonce and capability checks. The absence of known CVEs and the lack of critical or high-severity taint flows are also strong indicators of a relatively well-maintained codebase. However, there are significant concerns regarding its attack surface, particularly with unprotected entry points.

Specifically, the presence of 2 AJAX handlers and 2 REST API routes lacking proper authentication or permission checks presents a direct vulnerability. While no dangerous functions or raw SQL queries were found, the high proportion of unsanitized paths in taint analysis (1 out of 3 flows) coupled with a substantial number of outputs that are not properly escaped (45% unescaped) indicates potential for cross-site scripting (XSS) or other injection vulnerabilities, especially if these unsanitized paths lead to unescaped output. The plugin's vulnerability history is clean, which is encouraging, but the static analysis findings suggest that proactive security measures against these identified weaknesses are crucial.

Key Concerns

  • 2 AJAX handlers without auth checks
  • 2 REST API routes without permission callbacks
  • 1 flow with unsanitized path
  • 55% of outputs properly escaped (45% not)
Vulnerabilities
None known

CityCourier – Local Courier Booking & Tracking System Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

CityCourier – Local Courier Booking & Tracking System Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
3 prepared
Unescaped Output
203
246 escaped
Nonce Checks
7
Capability Checks
9
File Operations
1
External Requests
3
Bundled Libraries
0

SQL Query Safety

100% prepared3 total queries

Output Escaping

55% escaped449 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

3 flows1 with unsanitized paths
citycourier_reports_page_html (admin\settings-page.php:1449)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

CityCourier – Local Courier Booking & Tracking System Attack Surface

Entry Points6
Unprotected4

AJAX Handlers 3

authwp_ajax_cc_update_order_statusadmin\cc-admin-orders.php:72
authwp_ajax_citycourier_update_locationadmin\settings-page.php:946
noprivwp_ajax_citycourier_update_locationadmin\settings-page.php:947

REST API Routes 2

GET/wp-json/citycourier/v1/business-statusadmin\settings-page.php:316
GET/wp-json/citycourier/v1/time-checkadmin\settings-page.php:414

Shortcodes 1

[citycourier_form] citycourier.php:286
WordPress Hooks 29
filterwoocommerce_admin_order_actionsadmin\cc-admin-orders.php:6
actionadmin_footeradmin\cc-admin-orders.php:26
actionadmin_initadmin\cc-license.php:145
actionadmin_noticesadmin\cc-license.php:148
filterwoocommerce_email_order_meta_fieldsadmin\class-emails.php:7
actionwoocommerce_email_after_order_tableadmin\class-emails.php:56
filtercron_schedulesadmin\settings-page.php:5
actionadmin_initadmin\settings-page.php:12
actionadmin_initadmin\settings-page.php:43
actionrest_api_initadmin\settings-page.php:315
filtercitycourier_lead_time_minutesadmin\settings-page.php:323
actionadmin_noticesadmin\settings-page.php:402
actionrest_api_initadmin\settings-page.php:413
filterrest_send_nocache_headersadmin\settings-page.php:438
actionadmin_enqueue_scriptsadmin\settings-page.php:817
actioncitycourier_check_driver_inactiveadmin\settings-page.php:968
actionadmin_post_citycourier_export_reportsadmin\settings-page.php:1344
actionadmin_post_citycourier_contact_sendadmin\settings-page.php:1920
actionplugins_loadedcitycourier.php:50
actionadmin_noticescitycourier.php:56
actioninitcitycourier.php:67
actionadmin_menucitycourier.php:81
actionwp_enqueue_scriptscitycourier.php:158
actionadmin_menucitycourier.php:185
actionadmin_noticescitycourier.php:235
actionadmin_post_update_order_statuscitycourier.php:293
actionadmin_enqueue_scriptscitycourier.php:319
actiontemplate_redirectcitycourier.php:332
actiontemplate_redirecttemplates\form-submit-handler.php:8
Maintenance & Trust

CityCourier – Local Courier Booking & Tracking System Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedNov 16, 2025
PHP min version7.2
Downloads512

Community Trust

Rating0/100
Number of ratings0
Active installs0
Alternatives

CityCourier – Local Courier Booking & Tracking System Alternatives

WooReer

WooReer

wcsdm

A
100

WooReer calculates shipping rates based on distance via Google Maps, Mapbox, DistanceMatrix.ai, Geoapify, or HERE.

2K No CVEs
Local Delivery Drivers for WooCommerce

Local Delivery Drivers for WooCommerce

local-delivery-drivers-for-woocommerce

A
99

Improve the way you deliver, manage drivers, assign drivers to orders, send WhatsApp, SMS, and email notifications, route planning, navigation & more!

1K 1 CVE
Woot

Woot

woot-ro

A
100

Unified shipping solution for WooCommerce. Integrates all popular couriers in Romania with real-time pricing and pickup point selection.

100 No CVEs
Uber Direct Integration

Uber Direct Integration

uber-direct-delivery-integration

A
100

Offer instant or scheduled delivery from your WooCommerce store with real-time quotes and Uber Direct integration

60 No CVEs
UDW Delivery – Uber Direct for WooCommerce

UDW Delivery – Uber Direct for WooCommerce

udwdelivery

A
92

Delivery service for WooCommerce integrating with Uber Direct API.

40 No CVEs
Developer Profile

CityCourier – Local Courier Booking & Tracking System Developer Profile

Gksoft Dev Team

3 plugins · 0 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect CityCourier – Local Courier Booking & Tracking System

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/citycourier-local-courier-booking-tracking-system/assets/js/citycourier.js/wp-content/plugins/citycourier-local-courier-booking-tracking-system/assets/css/style.css/wp-content/plugins/citycourier-local-courier-booking-tracking-system/assets/css/citycourier-global.css
Script Paths
https://maps.googleapis.com/maps/api/js
Version Parameters
citycourier-local-courier-booking-tracking-system/assets/js/citycourier.js?ver=citycourier-local-courier-booking-tracking-system/assets/css/style.css?ver=citycourier-local-courier-booking-tracking-system/assets/css/citycourier-global.css?ver=

HTML / DOM Fingerprints

CSS Classes
cc-header-barcc-header-brandpro-badge
JS Globals
window.CityCourierData
FAQ

Frequently Asked Questions about CityCourier – Local Courier Booking & Tracking System