LlegoYa Envíos Security & Risk Analysis
wordpress.org/plugins/llegoya-enviosEste plugin permite a WooCommerce calcular el costo de envío mediante la API de LlegoYa y enviar los detalles del pedido a un servicio externo.
Is LlegoYa Envíos Safe to Use in 2026?
Generally Safe
Score 100/100LlegoYa Envíos has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.
The plugin 'llegoya-envios' v2.4.1 exhibits a mixed security posture. On the positive side, the code demonstrates good practices regarding SQL queries, consistently using prepared statements, and all identified output is properly escaped, indicating a low risk of cross-site scripting (XSS) vulnerabilities stemming from output handling. Furthermore, the absence of known CVEs and a clean vulnerability history suggests the developers have a generally good track record for security. However, significant concerns arise from the attack surface analysis. The plugin exposes two AJAX handlers, both of which lack any authentication or capability checks. This presents a substantial risk as any unauthenticated user could potentially interact with these entry points, leading to unintended functionality or information disclosure if not properly secured internally. While taint analysis found no explicit flows with unsanitized paths and no dangerous functions were identified, the lack of authentication on AJAX handlers is a critical oversight that could allow attackers to exploit these points regardless of internal code sanitization. The absence of nonce checks on these AJAX handlers exacerbates this risk, making it easier for attackers to trigger these functions programmatically.
Key Concerns
- Unprotected AJAX handlers
- Missing nonce checks on AJAX
LlegoYa Envíos Security Vulnerabilities
LlegoYa Envíos Code Analysis
Output Escaping
LlegoYa Envíos Attack Surface
AJAX Handlers 2
WordPress Hooks 15
Maintenance & Trust
LlegoYa Envíos Maintenance & Trust
Maintenance Signals
Community Trust
LlegoYa Envíos Alternatives
Shiprocket
shiprocket
Auto Sync your Woocommerce store orders & ship them at lowest shipping rates. Automate your shipping, save time & money.
Bijak
bijak
Add smart freight shipping to WooCommerce with live rate estimates and order integration via the Bijak API.
CODPartner
codpartner
A Platform that covers all logistics needs for COD e-commerce sellers.
Do Deliver Orders
do-deliver-orders
Streamline WooCommerce order delivery with Do Deliver integration. Note: This plugin connects to a third-partyr external service (Do Deliver).
MailPlus Shipmate
mailplus-shipmate
As an Australian shipping service, MailPlus Shipmate integrates MailPlus delivery options with WooCommerce, providing real-time shipping rates.
LlegoYa Envíos Developer Profile
1 plugin · 0 total installs
How We Detect LlegoYa Envíos
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/llegoya-envios/css/style.css/wp-content/plugins/llegoya-envios/js/script.js/wp-content/plugins/llegoya-envios/js/script.jsllegoya-envios/css/style.css?ver=llegoya-envios/js/script.js?ver=HTML / DOM Fingerprints
llegoya-envios-admin-wrapllegoya-envios-settingswrapnotice-errordashicons-warning<!-- AVISO EN ROJO --><!-- si por algún motivo no llegaron coord. → usa constantes de respaldo --><!-- si por algún motivo no llegaron coord. → usa constantes de respaldo --><!-- 3. calcula hoy/mañana para Flex -->name="llegoya_envios_settings[token]"name="llegoya_envios_settings[gkey]"id="woocommerce_llegoya_title"id="woocommerce_llegoya_enabled"ly_envios_vars/wp-json/llegoya-envios/v1/calculate[llegoya_tracking][llegoya_tracking_form]