WP-Safety

MailPlus Shipmate Security & Risk Analysis

wordpress.org/plugins/mailplus-shipmate

As an Australian shipping service, MailPlus Shipmate integrates MailPlus delivery options with WooCommerce, providing real-time shipping rates.

0 active installs v0.1.0 PHP 8.2+ WP 5.0+ Updated Feb 3, 2026
deliverylogisticsratesshippingwoocommerce
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Download
Safety Verdict

Is MailPlus Shipmate Safe to Use in 2026?

Generally Safe

Score 100/100

MailPlus Shipmate has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 2mo ago
Risk Assessment

The mailplus-shipmate plugin version 0.2.3 exhibits a concerning security posture primarily due to a significant number of unprotected entry points into the application. All five identified REST API routes lack permission callbacks, meaning any user, regardless of their role or logged-in status, can potentially interact with these endpoints. This large, exposed attack surface is a major security risk.

Despite the lack of critical findings in taint analysis and the absence of recorded vulnerabilities in its history, the unprotected REST API routes present a significant risk. While the plugin uses prepared statements for SQL queries and a high percentage of output is properly escaped, these good practices are undermined by the lack of authorization checks on its API endpoints. The presence of external HTTP requests without explicit analysis of their security implications is also a minor concern. In conclusion, the plugin has some good security foundations with its SQL and output handling, but the critical flaw of unprotected API routes makes it a high-risk component.

The plugin's vulnerability history is clean, which is a positive sign of development quality or a lack of past scrutiny. However, this should not breed complacency. The current static analysis reveals a clear and present danger in the form of unauthenticated access to its REST API. This needs to be addressed immediately to mitigate potential exploitation.

Key Concerns

  • REST API routes without permission callbacks
  • Large attack surface without authorization
  • External HTTP requests without explicit security review
Vulnerabilities
None known

MailPlus Shipmate Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

MailPlus Shipmate Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
2
52 escaped
Nonce Checks
1
Capability Checks
1
File Operations
0
External Requests
4
Bundled Libraries
0

Output Escaping

96% escaped54 total outputs
Attack Surface
5 unprotected

MailPlus Shipmate Attack Surface

Entry Points5
Unprotected5

REST API Routes 5

POST/wp-json/mailplus-shipmate/v1/orders/retrieveincludes\mailplus-shipmate-rest-endpoints.php:6
POST/wp-json/mailplus-shipmate/v1/orders/fulfillmentincludes\mailplus-shipmate-rest-endpoints.php:12
POST/wp-json/mailplus-shipmate/v1/orders/is_local_pickupincludes\mailplus-shipmate-rest-endpoints.php:18
POST/wp-json/mailplus-shipmate/v1/integration/completeincludes\mailplus-shipmate-rest-endpoints.php:24
POST/wp-json/mailplus-shipmate/v1/integration/disconnectincludes\mailplus-shipmate-rest-endpoints.php:30
WordPress Hooks 11
actionadmin_menuincludes\mailplus-shipmate-admin-settings.php:4
actionrest_api_initincludes\mailplus-shipmate-rest-endpoints.php:4
actionadmin_headmailplus-shipmate.php:112
actionwoocommerce_shipping_initmailplus-shipmate.php:232
filterwoocommerce_shipping_methodsmailplus-shipmate.php:239
actionplugins_loadedmailplus-shipmate.php:258
filterwoocommerce_shipping_methodsmailplus-shipmate.php:261
actionwoocommerce_thankyoumailplus-shipmate.php:273
actionwoocommerce_admin_order_data_after_order_detailsmailplus-shipmate.php:280
actionwp_enqueue_scriptsmailplus-shipmate.php:349
actionwoocommerce_order_details_after_order_tablemailplus-shipmate.php:467
Maintenance & Trust

MailPlus Shipmate Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 3, 2026
PHP min version8.2
Downloads104

Community Trust

Rating0/100
Number of ratings0
Active installs0
Alternatives

MailPlus Shipmate Alternatives

Shiprocket

Shiprocket

shiprocket

B
78

Auto Sync your Woocommerce store orders & ship them at lowest shipping rates. Automate your shipping, save time & money.

10K 1 unpatched
Table rate shipping for WooCommerce

Table rate shipping for WooCommerce

advanced-table-rate-shipping-for-woocommerce

A
100

Table rate shipping a addon plugin for WooCommerce shipping.

200 No CVEs
PrangoShip [Quantity Based] for WooCommerce

PrangoShip [Quantity Based] for WooCommerce

woo-quantity-based-shipping-rate

A
85

Lets you assign shipping rates based on the quantity of items in the cart for your WooCommerce Store.

100 No CVEs
Bijak

Bijak

bijak

A
100

Add smart freight shipping to WooCommerce with live rate estimates and order integration via the Bijak API.

0 No CVEs
CODPartner

CODPartner

codpartner

A
100

A Platform that covers all logistics needs for COD e-commerce sellers.

0 No CVEs
Developer Profile

MailPlus Shipmate Developer Profile

shipmatedev

1 plugin · 0 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect MailPlus Shipmate

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/mailplus-shipmate/assets/css/tracking.css/wp-content/plugins/mailplus-shipmate/assets/js/tracking.js
Version Parameters
mailplus-shipmate/assets/css/tracking.css?ver=mailplus-shipmate/assets/js/tracking.js?ver=

HTML / DOM Fingerprints

CSS Classes
mp-track-boxmp-track-linkmp-infomp-tooltipmp-modal-togglemp-info-overlaymp-modalmp-close
Data Attributes
data-modal-target
JS Globals
mailplus_shipmate_tracking_data
REST Endpoints
/wp-json/mailplus-shipmate/v1/track
FAQ

Frequently Asked Questions about MailPlus Shipmate