WP-Safety

Shipping Live Rates and Access Points for UPS for WooCommerce Security & Risk Analysis

wordpress.org/plugins/flexible-shipping-ups

Provide auto-calculated UPS rates and Access Point options. Easy 5-minute setup. Show real prices and nearest pickup points at WooCommerce checkout.

7K active installs v3.6.6 PHP 7.4+ WP 6.4+ Updated Mar 31, 2026
upsups-live-ratesups-ratesups-shippingups-woocommerce
99
A · Safe
CVEs total2
Unpatched0
Last CVEOct 24, 2024
Plugin page Download
Safety Verdict

Is Shipping Live Rates and Access Points for UPS for WooCommerce Safe to Use in 2026?

Generally Safe

Score 99/100

Shipping Live Rates and Access Points for UPS for WooCommerce has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

2 known CVEsLast CVE: Oct 24, 2024Updated 1mo ago
Risk Assessment

The flexible-shipping-ups plugin version 3.6.3 exhibits a mixed security posture. On the positive side, it has a very small attack surface, with only one AJAX handler and no unprotected entry points. The plugin also demonstrates good practices by overwhelmingly using prepared statements for SQL queries and implementing a reasonable number of nonce and capability checks. However, the presence of several dangerous functions, including `proc_open`, `shell_exec`, and `unserialize`, raises concerns about potential code execution vulnerabilities if these are not handled with extreme care. The low percentage of properly escaped output (26%) is a significant weakness, indicating a risk of Cross-Site Scripting (XSS) vulnerabilities where user-supplied data might be rendered without proper sanitization.

The vulnerability history shows two past medium-severity CVEs, both related to Missing Authorization and Cross-Site Request Forgery (CSRF). While there are no currently unpatched vulnerabilities, the pattern of past issues suggests that authorization checks and input validation, particularly concerning user-supplied data, have been areas of weakness. The taint analysis shows no high or critical severity flows, which is a positive indicator, but this should be considered in conjunction with the other code signals. The bundling of Guzzle, while not inherently problematic, could introduce risks if the library itself is outdated and vulnerable.

In conclusion, while the plugin has a controlled attack surface and uses prepared statements effectively, the identified dangerous functions, a low rate of proper output escaping, and a history of authorization and CSRF issues warrant caution. The primary risks lie in potential code execution and XSS vulnerabilities due to improper output handling. It is crucial to ensure that all instances of dangerous functions are secured and that output escaping is thoroughly audited and improved.

Key Concerns

  • Low rate of properly escaped output
  • Presence of dangerous functions (proc_open, shell_exec, unserialize)
  • Past medium severity CVEs related to authorization and CSRF
  • Bundled library (Guzzle) - potential for outdatedness
Vulnerabilities
2 published

Shipping Live Rates and Access Points for UPS for WooCommerce Security Vulnerabilities

CVEs by Year

2 CVEs in 2024
2024
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2024-9109medium · 4.3Missing Authorization

UPS Live Rates and Access Points <= 2.3.12 - Missing Authorization to Plugin API key reset

Oct 24, 2024 Patched in 3.0.0 (5d)
CVE-2024-31944medium · 4.3Cross-Site Request Forgery (CSRF)

WooCommerce UPS Shipping – Live Rates and Access Points <= 2.2.4 - Cross-Site Request Forgery

Apr 11, 2024 Patched in 2.2.5 (6d)
Version History

Shipping Live Rates and Access Points for UPS for WooCommerce Release Timeline

v3.6.6Current
v3.6.5
v3.6.4
v3.6.3
v3.6.2
v3.6.1
v3.6.0
v3.5.4
v3.5.3
v3.5.2
v3.5.1
v3.5.0
v3.4.5
v3.4.4
v3.4.3
v3.4.2
v3.4.1
v3.4.0
v3.3.0
v3.2.7
Code Analysis
Analyzed Mar 16, 2026

Shipping Live Rates and Access Points for UPS for WooCommerce Code Analysis

Dangerous Functions
5
Raw SQL Queries
2
17 prepared
Unescaped Output
252
87 escaped
Nonce Checks
18
Capability Checks
9
File Operations
36
External Requests
5
Bundled Libraries
1

Dangerous Functions Found

proc_open$this->process = proc_open($this->command, static::DESCRIPTOR_SPEC, $this->pipes, $this->cwd);vendor_prefixed\monolog\monolog\src\Monolog\Handler\ProcessHandler.php:104
shell_exec$branches = shell_exec('git branch -v --no-abbrev');vendor_prefixed\monolog\monolog\src\Monolog\Processor\GitProcessor.php:60
shell_exec$result = explode(' ', trim((string) shell_exec('hg id -nb')));vendor_prefixed\monolog\monolog\src\Monolog\Processor\MercurialProcessor.php:59
unserializereturn unserialize($value);vendor_prefixed\wpdesk\wp-forms\src\Serializer\SerializeSerializer.php:15
unserializereturn unserialize($this->container->get($id));vendor_prefixed\wpdesk\wp-persistence\src\Decorator\SerializedPersistentContainer.php:24

Bundled Libraries

Guzzle

SQL Query Safety

89% prepared19 total queries

Output Escaping

26% escaped339 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

2 flows
processAjaxNoticeDismiss (vendor_prefixed\wpdesk\wp-notice\src\WPDesk\Notice\AjaxHandler.php:72)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Shipping Live Rates and Access Points for UPS for WooCommerce Attack Surface

Entry Points1
Unprotected0

AJAX Handlers 1

authwp_ajax_wpdesk_notice_dismissvendor_prefixed\wpdesk\wp-notice\src\WPDesk\Notice\AjaxHandler.php:42
WordPress Hooks 101
actionbefore_woocommerce_initflexible-shipping-ups.php:67
actionadmin_initsrc\Plugin\ActivationDate.php:25
actionflexible_shipping_ups_settings_sidebarsrc\Plugin\AdvertMetabox\ProPluginMetaBox.php:27
actionadmin_enqueue_scriptssrc\Plugin\Assets.php:38
actionadmin_noticessrc\Plugin\OldProVersionMessage.php:22
actionwoocommerce_order_status_changedsrc\Plugin\OrderCounter.php:25
actioninitsrc\Plugin\Plugin.php:179
actionadmin_initsrc\Plugin\Plugin.php:202
actioninitsrc\Plugin\Plugin.php:210
actioninitsrc\Plugin\Plugin.php:232
actionadmin_initsrc\Plugin\Plugin.php:238
actioninitsrc\Plugin\Plugin.php:316
filterwoocommerce_shipping_methodssrc\Plugin\Plugin.php:363
actionwoocommerce_initsrc\Plugin\Plugin.php:364
actionwoocommerce_initsrc\Plugin\Plugin.php:365
actionwoocommerce_initsrc\Plugin\Plugin.php:366
filterplugin_row_metasrc\Plugin\PluginLinks.php:16
actionadmin_noticessrc\Plugin\RateNotice.php:24
actionwpdesk_notice_dismissed_noticesrc\Plugin\RateNotice.php:25
actionwoocommerce_blocks_checkout_block_registrationvendor_prefixed\octolize\octolize-checkout-block-integration\src\Blocks\Registrator.php:25
actionwoocommerce_blocks_cart_block_registrationvendor_prefixed\octolize\octolize-checkout-block-integration\src\Blocks\Registrator.php:28
actionwoocommerce_blocks_loadedvendor_prefixed\octolize\octolize-checkout-block-integration\src\Blocks\StoreEndpoint.php:24
actionwoocommerce_blocks_checkout_block_registrationvendor_prefixed\octolize\octolize-pickup-point-checkout-blocks\src\Blocks\PickupPoint\MapPickupPoint\MapRegistrator.php:12
filterwoocommerce_shipping_method_add_ratevendor_prefixed\octolize\octolize-pickup-point-checkout-blocks\src\Blocks\PickupPoint\MapPickupPoint\ShippingRateMetaData.php:10
actionwoocommerce_blocks_checkout_block_registrationvendor_prefixed\octolize\octolize-pickup-point-checkout-blocks\src\Blocks\PickupPoint\Registrator.php:32
actionwoocommerce_store_api_checkout_update_order_from_requestvendor_prefixed\octolize\octolize-pickup-point-checkout-blocks\src\Blocks\PickupPoint\StoreEndpoint.php:21
actionwoocommerce_blocks_loadedvendor_prefixed\octolize\octolize-pickup-point-checkout-blocks\src\Blocks\PickupPoint\StoreEndpoint.php:22
actionadmin_enqueue_scriptsvendor_prefixed\octolize\wp-octolize-brand-assets\src\Brand\Assets\AdminAssets.php:54
actionadmin_enqueue_scriptsvendor_prefixed\octolize\wp-octolize-docs-chat\src\Chat\Assets.php:20
actionadmin_footervendor_prefixed\octolize\wp-octolize-docs-chat\src\Chat\ChatContainer.php:18
actionadmin_noticesvendor_prefixed\octolize\wp-octolize-tracker\src\OptInNotice\OptInNotice.php:41
actionadmin_footervendor_prefixed\octolize\wp-octolize-tracker\src\OptInNotice\OptInNotice.php:55
filterwpdesk_tracker_notice_screensvendor_prefixed\octolize\wp-octolize-tracker\src\TrackerInitializer.php:82
actionplugins_loadedvendor_prefixed\octolize\wp-octolize-tracker\src\TrackerInitializer.php:83
actioncurrent_screenvendor_prefixed\octolize\wp-onboarding\src\Onboarding\Onboarding.php:64
actionadmin_enqueue_scriptsvendor_prefixed\octolize\wp-onboarding\src\Onboarding\Onboarding.php:70
actionadmin_footervendor_prefixed\octolize\wp-onboarding\src\Onboarding\Onboarding.php:71
filterwpdesk_tracker_deactivation_datavendor_prefixed\octolize\wp-onboarding\src\Onboarding\OnboardingDeactivationData.php:31
filterwpdesk_tracker_datavendor_prefixed\octolize\wp-onboarding\src\Onboarding\OnboardingTrackerData.php:38
actionupgrader_process_completevendor_prefixed\octolize\wp-onboarding\src\Onboarding\PluginUpgrade\PluginUpgradeWatcher.php:31
actionadmin_enqueue_scriptsvendor_prefixed\octolize\wp-shipping-extensions\src\ShippingExtensions\Assets.php:37
filteroctolize/shipping-extensions/header-promovendor_prefixed\octolize\wp-shipping-extensions\src\ShippingExtensions\BlackFriday2025Promo.php:15
filteroctolize/shipping-extensions/should-add-badgevendor_prefixed\octolize\wp-shipping-extensions\src\ShippingExtensions\BlackFriday2025Promo.php:16
actionoctolize/shipping-extensions/view-trackingvendor_prefixed\octolize\wp-shipping-extensions\src\ShippingExtensions\BlackFriday2025Promo.php:17
actionadmin_menuvendor_prefixed\octolize\wp-shipping-extensions\src\ShippingExtensions\Page.php:40
actionin_admin_headervendor_prefixed\octolize\wp-shipping-extensions\src\ShippingExtensions\PageViewTracker.php:29
actionwpdesk_tracker_startedvendor_prefixed\octolize\wp-shipping-extensions\src\ShippingExtensions\Tracker\Tracker.php:29
actionadmin_headvendor_prefixed\octolize\wp-shipping-extensions\src\ShippingExtensions\WooCommerceSuggestions.php:12
actionflexible_shipping_ups_token_createdvendor_prefixed\octolize\wp-ups-oauth\src\OAuth\ActionScheduler\RefreshTokenActionScheduler.php:26
actionflexible_shipping_ups_token_refreshedvendor_prefixed\octolize\wp-ups-oauth\src\OAuth\ActionScheduler\RefreshTokenActionScheduler.php:27
actionwoocommerce_update_optionvendor_prefixed\octolize\wp-ups-oauth\src\OAuth\ClientCredentialsTokenActions.php:18
actionadmin_noticesvendor_prefixed\octolize\wp-ups-oauth\src\OAuth\CreateTokenAction.php:38
actionadmin_noticesvendor_prefixed\octolize\wp-ups-oauth\src\OAuth\Notices.php:31
actionadmin_enqueue_scriptsvendor_prefixed\wpdesk\wp-builder\src\Plugin\AbstractPlugin.php:148
actionwp_enqueue_scriptsvendor_prefixed\wpdesk\wp-builder\src\Plugin\AbstractPlugin.php:149
actionadmin_enqueue_scriptsvendor_prefixed\wpdesk\wp-notice\src\WPDesk\Notice\AjaxHandler.php:41
actionadmin_noticesvendor_prefixed\wpdesk\wp-notice\src\WPDesk\Notice\Notice.php:144
actionadmin_footervendor_prefixed\wpdesk\wp-notice\src\WPDesk\Notice\Notice.php:145
filterwp_autoloader_loader_loaders_to_loadvendor_prefixed\wpdesk\wp-plugin-flow-common\src\Initialization\PluginDisablerByFileTrait.php:45
filterwp_autoloader_loader_loaders_to_createvendor_prefixed\wpdesk\wp-plugin-flow-common\src\Initialization\PluginDisablerByFileTrait.php:46
actionplugins_loadedvendor_prefixed\wpdesk\wp-plugin-flow-common\src\Initialization\Simple\SimplePaidStrategy.php:58
actionplugins_loadedvendor_prefixed\wpdesk\wp-plugin-flow-common\src\PluginBootstrap.php:81
actionbefore_woocommerce_initvendor_prefixed\wpdesk\wp-plugin-flow-common\src\PluginBootstrap.php:88
actionactivated_pluginvendor_prefixed\wpdesk\wp-plugin-flow-common\src\PluginBootstrap.php:102
filterdoing_it_wrong_trigger_errorvendor_prefixed\wpdesk\wp-plugin-flow-common\src\PluginBootstrap.php:123
actionwoocommerce_after_order_itemmetavendor_prefixed\wpdesk\wp-ups-shipping-method\src\WooCommerceShipping\Ups\Advertisement\UpsLabels.php:12
actionadmin_noticesvendor_prefixed\wpdesk\wp-ups-shipping-method\src\WooCommerceShipping\Ups\AuthCodeNotice.php:18
filterwpdesk_tracker_datavendor_prefixed\wpdesk\wp-ups-shipping-method\src\WooCommerceShipping\Ups\Tracker.php:48
actionadmin_noticesvendor_prefixed\wpdesk\wp-ups-shipping-method\src\WooCommerceShipping\Ups\XmlApiNotice.php:17
actionwoocommerce_active_payments_checkout_shipping_methodvendor_prefixed\wpdesk\wp-woocommerce-shipping\src\WooCommerceShipping\ActivePayments\Integration.php:39
actionadmin_noticesvendor_prefixed\wpdesk\wp-woocommerce-shipping\src\WooCommerceShipping\AddMethodReminder\AddMethodReminder.php:44
actionadmin_initvendor_prefixed\wpdesk\wp-woocommerce-shipping\src\WooCommerceShipping\AddMethodReminder\ClickNoticeTracker.php:23
filterwpdesk_tracker_deactivation_datavendor_prefixed\wpdesk\wp-woocommerce-shipping\src\WooCommerceShipping\AddMethodReminder\DeactivationTrackerData.php:26
filterwpdesk_tracker_datavendor_prefixed\wpdesk\wp-woocommerce-shipping\src\WooCommerceShipping\AddMethodReminder\TrackerData.php:25
actionadmin_enqueue_scriptsvendor_prefixed\wpdesk\wp-woocommerce-shipping\src\WooCommerceShipping\Assets.php:59
actionadmin_enqueue_scriptsvendor_prefixed\wpdesk\wp-woocommerce-shipping\src\WooCommerceShipping\Assets.php:60
actionwp_enqueue_scriptsvendor_prefixed\wpdesk\wp-woocommerce-shipping\src\WooCommerceShipping\Assets.php:61
actionwoocommerce_review_order_after_shippingvendor_prefixed\wpdesk\wp-woocommerce-shipping\src\WooCommerceShipping\CollectionPoints\CheckoutHandler.php:89
actionwoocommerce_checkout_update_order_reviewvendor_prefixed\wpdesk\wp-woocommerce-shipping\src\WooCommerceShipping\CollectionPoints\CheckoutHandler.php:90
actionwoocommerce_after_shipping_ratevendor_prefixed\wpdesk\wp-woocommerce-shipping\src\WooCommerceShipping\EstimatedDelivery\EstimatedDeliveryDatesDisplay.php:56
filterwoocommerce_package_ratesvendor_prefixed\wpdesk\wp-woocommerce-shipping\src\WooCommerceShipping\EstimatedDelivery\EstimatedDeliveryDatesDisplay.php:57
actionwoocommerce_hidden_order_itemmetavendor_prefixed\wpdesk\wp-woocommerce-shipping\src\WooCommerceShipping\EstimatedDelivery\EstimatedDeliveryDatesDisplay.php:58
filterwoocommerce_order_item_display_meta_keyvendor_prefixed\wpdesk\wp-woocommerce-shipping\src\WooCommerceShipping\OrderMetaData\AdminOrderMetaDataDisplay.php:70
filterwoocommerce_order_item_display_meta_valuevendor_prefixed\wpdesk\wp-woocommerce-shipping\src\WooCommerceShipping\OrderMetaData\AdminOrderMetaDataDisplay.php:71
filterwoocommerce_hidden_order_itemmetavendor_prefixed\wpdesk\wp-woocommerce-shipping\src\WooCommerceShipping\OrderMetaData\AdminOrderMetaDataDisplay.php:72
actionwoocommerce_order_details_after_order_tablevendor_prefixed\wpdesk\wp-woocommerce-shipping\src\WooCommerceShipping\OrderMetaData\FrontOrderMetaDataDisplay.php:44
actionwoocommerce_email_order_metavendor_prefixed\wpdesk\wp-woocommerce-shipping\src\WooCommerceShipping\OrderMetaData\FrontOrderMetaDataDisplay.php:45
actionadmin_noticesvendor_prefixed\wpdesk\wp-woocommerce-shipping\src\WooCommerceShipping\ThirdParty\Germanized\TaxSettingsNotice.php:18
actionadmin_enqueue_scriptsvendor_prefixed\wpdesk\wp-wpdesk-rating-petition\src\PopupPetition\PopupPetitionDisplayer.php:34
actionadmin_noticesvendor_prefixed\wpdesk\wp-wpdesk-rating-petition\src\RatingPetitionNotice.php:82
actionadmin_noticesvendor_prefixed\wpdesk\wp-wpdesk-rating-petition\src\RatingPetitionNotice.php:83
actionwpdesk_notice_dismissed_noticevendor_prefixed\wpdesk\wp-wpdesk-rating-petition\src\RatingPetitionNotice.php:84
actionadmin_enqueue_scriptsvendor_prefixed\wpdesk\wp-wpdesk-rating-petition\src\TextPetitionDisplayer.php:39
filteradmin_footer_textvendor_prefixed\wpdesk\wp-wpdesk-rating-petition\src\TextPetitionDisplayer.php:62
actionadmin_initvendor_prefixed\wpdesk\wp-wpdesk-rating-petition\src\TimeWatcher\ShippingMethodInstanceWatcher.php:75
actionwoocommerce_shipping_zone_method_addedvendor_prefixed\wpdesk\wp-wpdesk-rating-petition\src\TimeWatcher\ShippingMethodInstanceWatcher.php:76
actionadmin_enqueue_scriptsvendor_prefixed\wpdesk\wp-wpdesk-tracker\src\PSR\WPDesk\Tracker\Assets.php:28
actionadmin_menuvendor_prefixed\wpdesk\wp-wpdesk-tracker\src\PSR\WPDesk\Tracker\OptInPage.php:35
actionadmin_initvendor_prefixed\wpdesk\wp-wpdesk-tracker\src\PSR\WPDesk\Tracker\OptInPage.php:36
actionadmin_noticesvendor_prefixed\wpdesk\wp-wpdesk-tracker\src\PSR\WPDesk\Tracker\OptOut.php:28
filterplugin_row_metavendor_prefixed\wpdesk\wp-wpdesk-tracker\src\PSR\WPDesk\Tracker\PluginActionLinks.php:36
Maintenance & Trust

Shipping Live Rates and Access Points for UPS for WooCommerce Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 31, 2026
PHP min version7.4
Downloads694K

Community Trust

Rating94/100
Number of ratings74
Active installs7K
Alternatives

Shipping Live Rates and Access Points for UPS for WooCommerce Alternatives

Automated UPS Shipping for WooCommerce – HPOS supported

Automated UPS Shipping for WooCommerce – HPOS supported

a2z-ups-shipping

A
100

UPS plugin: Real-time rates, label printing, auto tracking emails, previews on product pages, and more. Seamless integration.

100 No CVEs
Shipping Method for UPS and WooCommerce

Shipping Method for UPS and WooCommerce

shipping-method-for-ups-and-wc

A
85

The Shipping Method for WooCommerce UPS is a Wordpress Plugin that integrate the UPS service, it will calculate the shipping cost and the delivery tim &hellip;

0 No CVEs
Shipping Methods for UPS on WooCommerce

Shipping Methods for UPS on WooCommerce

woo-ups-shipping-method

A
85

UPS shipping methods for WooCommerce. Provide live shipping rates by UPS.

0 No CVEs
OPSI Israel Domestic Shipments

OPSI Israel Domestic Shipments

woo-ups-pickup

B
78

UPS Israel PickUP Access Points (Stores and Lockers) for WooCommerce. Displays Live Shipping Rates based on the Shipping Address and Cart Content.

300 1 unpatched
UPS Shipping

UPS Shipping

woo-ups-shipping

A
85

UPS Shipping method for WooCommerce site. Easy installation and very light for WooCommerce sites.

40 No CVEs
Developer Profile

Shipping Live Rates and Access Points for UPS for WooCommerce Developer Profile

Octolize Shipping Plugins

11 plugins · 114K total installs

79
trust score
Avg Security Score
100/100
Avg Patch Time
91 days
View full developer profile
Detection Fingerprints

How We Detect Shipping Live Rates and Access Points for UPS for WooCommerce

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/flexible-shipping-ups/src/Plugin/AdvertMetabox/view/html-pro-features.php
Script Paths
/wp-content/plugins/flexible-shipping-ups/vendor_prefixed/octolize/octolize-checkout-block-integration/build/index.js/wp-content/plugins/flexible-shipping-ups/vendor_prefixed/octolize/octolize-checkout-block-integration/build/style-index.css
Version Parameters
flexible-shipping-ups/src/Plugin/AdvertMetabox/view/html-pro-features.php?ver=flexible-shipping-ups/vendor_prefixed/octolize/octolize-checkout-block-integration/build/index.js?ver=flexible-shipping-ups/vendor_prefixed/octolize/octolize-checkout-block-integration/build/style-index.css?ver=

HTML / DOM Fingerprints

CSS Classes
ups-upgrade-box
HTML Comments
<!-- PRO features -->
Data Attributes
data-ups-upgrade-box-element
JS Globals
UpsShippingServicewp
FAQ

Frequently Asked Questions about Shipping Live Rates and Access Points for UPS for WooCommerce