WP-Safety

CURBON Security & Risk Analysis

wordpress.org/plugins/curbon

CURBON lets your customers decrease the carbon impact of their purchases on your online store

0 active installs v1.0.0 PHP 7.4+ WP + Updated May 5, 2023
carbon-neutral-checkoutcarbon-offsettingclimate-friendly-checkoutcurbonsustainable-shopping
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is CURBON Safe to Use in 2026?

Generally Safe

Score 85/100

CURBON has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 2yr ago
Risk Assessment

The "curbon" v1.0.0 plugin exhibits a generally good security posture based on the static analysis. The plugin demonstrates strong adherence to secure coding practices by utilizing prepared statements for a significant majority of its SQL queries and properly escaping nearly all its output. The absence of known vulnerabilities, both historically and currently, is a positive indicator. Furthermore, the limited attack surface, with only one shortcode and no identified AJAX handlers or REST API routes that lack authentication checks, suggests a thoughtful approach to development.

Despite these strengths, there are areas that warrant attention. The presence of four taint flows with unsanitized paths, even without critical or high severity, indicates a potential for unintended data handling that could be exploited under specific circumstances. While the plugin has no recorded CVEs, the extensive number of external HTTP requests (88) is a notable concern, as each request represents a potential avenue for third-party vulnerabilities or data exposure. The lack of capability checks also means that the plugin's functionality might be accessible to users who shouldn't have access, depending on how its shortcode is implemented and what actions it performs.

Key Concerns

  • Taint flows with unsanitized paths
  • No capability checks
  • Large number of external HTTP requests
Vulnerabilities
None known

CURBON Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

CURBON Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
2 prepared
Unescaped Output
10
294 escaped
Nonce Checks
7
Capability Checks
0
File Operations
8
External Requests
88
Bundled Libraries
0

SQL Query Safety

67% prepared3 total queries

Output Escaping

97% escaped304 total outputs
Data Flows
4 unsanitized

Data Flow Analysis

7 flows4 with unsanitized paths
saveCurbonSettingsCallback (includes\admin\class-curbon-admin-save-settings.php:119)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

CURBON Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[curbon-offset-box] includes\woo\class-curbon-woo-init.php:229
WordPress Hooks 35
actionplugins_loadedcurbon.php:31
actionupgrader_process_completecurbon.php:130
actionadmin_enqueue_scriptsincludes\admin\class-curbon-admin-enqueue-scripts.php:32
actionadmin_headincludes\admin\class-curbon-admin-enqueue-scripts.php:33
actionadmin_menuincludes\admin\class-curbon-admin-init.php:33
actionwoocommerce_update_productincludes\admin\class-curbon-admin-save-settings.php:33
actionadmin_initincludes\admin\class-curbon-admin-save-settings.php:43
actionadmin_initincludes\admin\class-curbon-admin-save-settings.php:51
actionadmin_initincludes\admin\class-curbon-admin-save-settings.php:59
actionadmin_noticesincludes\admin\class-curbon-admin-save-settings.php:206
actionadmin_noticesincludes\admin\class-curbon-admin-save-settings.php:235
actionwp_enqueue_scriptsincludes\class-curbon-enqueue-scripts.php:34
actionwp_enqueue_scriptsincludes\class-curbon-enqueue-scripts.php:43
actionadmin_enqueue_scriptsincludes\class-curbon-enqueue-scripts.php:52
actionrest_api_initincludes\class-curbon-webhook-calls.php:73
actionactivated_pluginincludes\class-registration-activation-init.php:32
actioninitincludes\woo\avada-functions-override.php:2
actionpre_get_postsincludes\woo\class-curbon-woo-init.php:67
actionwpincludes\woo\class-curbon-woo-init.php:75
actionwpincludes\woo\class-curbon-woo-init.php:83
filterwoocommerce_cart_totals_after_order_totalincludes\woo\class-curbon-woo-init.php:91
actionwpincludes\woo\class-curbon-woo-init.php:101
actionwoocommerce_after_cart_tableincludes\woo\class-curbon-woo-init.php:110
actionwoocommerce_before_checkout_formincludes\woo\class-curbon-woo-init.php:120
actionwoocommerce_mini_cart_contentsincludes\woo\class-curbon-woo-init.php:130
actionwoocommerce_thankyouincludes\woo\class-curbon-woo-init.php:140
actionwoocommerce_quantity_input_maxincludes\woo\class-curbon-woo-init.php:148
filterwoocommerce_cart_item_quantityincludes\woo\class-curbon-woo-init.php:158
filterwoocommerce_coupon_get_discount_amountincludes\woo\class-curbon-woo-init.php:168
filterwp_kses_allowed_htmlincludes\woo\class-curbon-woo-init.php:178
actionwpincludes\woo\class-curbon-woo-init.php:186
actionwpincludes\woo\class-curbon-woo-init.php:191
filtermanage_edit-shop_order_columnsincludes\woo\class-curbon-woo-init.php:194
actionmanage_shop_order_posts_custom_columnincludes\woo\class-curbon-woo-init.php:202
actionwoocommerce_order_refundedincludes\woo\class-curbon-woo-init.php:210
Maintenance & Trust

CURBON Maintenance & Trust

Maintenance Signals

WordPress version tested6.1.10
Last updatedMay 5, 2023
PHP min version7.4
Downloads2K

Community Trust

Rating100/100
Number of ratings1
Active installs0
Alternatives

CURBON Alternatives

Carbon Balance: Carbon calculation and offsetting for WooCommerce

Carbon Balance: Carbon calculation and offsetting for WooCommerce

carbonbalance-for-woocommerce

A
85

Empower your customers to make their order more climate Friendly

10 No CVEs
ClimateClick: Climate Action for all

ClimateClick: Climate Action for all

co2ok-for-woocommerce

B
84

Empower your customers to make their order climate neutral

10 2 CVEs
Developer Profile

CURBON Developer Profile

Curbon

1 plugin · 0 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect CURBON

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/curbon/assets/css/jquery-ui.css/wp-content/plugins/curbon/assets/css/curbon-admin-style.css/wp-content/plugins/curbon/assets/js/curbon-admin-script.js
Script Paths
/wp-content/plugins/curbon/assets/js/curbon-admin-script.js
Version Parameters
curbon-admin-stylecurbon-admin-scriptcurbon-jquery-ui

HTML / DOM Fingerprints

CSS Classes
toplevel_page_curbon-dashboard
JS Globals
curbonAdminObj
FAQ

Frequently Asked Questions about CURBON