WP-Safety

Shipping for Nova Poshta Security & Risk Analysis

wordpress.org/plugins/nova-poshta-ttn

Доставка на відділення, поштомат та адресу (з автопошуком вулиць). Створення ТТН. Найзручніший плагін.

500 active installs v1.19.8 PHP 7.4+ WP 5.0+ Updated Jul 30, 2025
%d0%bd%d0%be%d0%b2%d0%b0-%d0%bf%d0%be%d1%88%d1%82%d0%b0%d0%bd%d0%be%d0%b2%d0%b0-%d0%bf%d0%be%d1%87%d1%82%d0%b0%d0%bd%d0%be%d0%b2%d0%b0%d1%8f-%d0%bf%d0%be%d1%87%d1%82%d0%b0nova-poshta
98
A · Safe
CVEs total1
Unpatched0
Last CVEDec 29, 2024
Plugin page Download
Safety Verdict

Is Shipping for Nova Poshta Safe to Use in 2026?

Generally Safe

Score 98/100

Shipping for Nova Poshta has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Dec 29, 2024Updated 8mo ago
Risk Assessment

The "nova-poshta-ttn" plugin version 1.19.8 presents a mixed security posture. While it shows positive signs like using prepared statements for a majority of its SQL queries and performing some output escaping, significant concerns arise from its attack surface and taint analysis. The plugin exposes a substantial number of AJAX handlers (19) with no authentication checks, creating a broad entry point for potential attackers. Furthermore, taint analysis reveals 11 flows with unsanitized paths, including 4 designated as high severity, indicating a real risk of data manipulation or unauthorized access if these flows can be triggered by user-supplied input. The history of a previously disclosed high-severity SQL injection vulnerability, though currently patched, reinforces the importance of vigilance regarding input sanitization.

Key Concerns

  • Large attack surface without authentication
  • High severity taint flows
  • Unescaped output
  • Raw SQL without prepare (1 of 66)
  • Nonce checks present but insufficient
  • Bundled library (Select2)
Vulnerabilities
1

Shipping for Nova Poshta Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

High
1

1 total CVE

CVE-2025-24612high · 7.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Shipping for Nova Poshta plugin for WordPress <= 1.19.6 - Unauthenticated SQL Injection

Dec 29, 2024 Patched in 1.19.7 (58d)
Code Analysis
Analyzed Mar 16, 2026

Shipping for Nova Poshta Code Analysis

Dangerous Functions
0
Raw SQL Queries
23
43 prepared
Unescaped Output
188
99 escaped
Nonce Checks
1
Capability Checks
2
File Operations
1
External Requests
21
Bundled Libraries
1

Bundled Libraries

Select2

SQL Query Safety

65% prepared66 total queries

Output Escaping

34% escaped287 total outputs
Data Flows
11 unsanitized

Data Flow Analysis

11 flows11 with unsanitized paths
ajaxGetAreasByNameSuggestion (classes\repository\AbstractAreaRepository.php:31)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
19 unprotected

Shipping for Nova Poshta Attack Surface

Entry Points19
Unprotected19

AJAX Handlers 19

authwp_ajax_mrkv_np_remove_ttnincludes\class-morkvanp-plugin-loader.php:150
noprivwp_ajax_mrkv_np_remove_ttnincludes\class-morkvanp-plugin-loader.php:151
authwp_ajax_mrkvnp_warehouses_updatednova-poshta-ttn.php:95
authwp_ajax_npdata_fetchnova-poshta-ttn.php:106
noprivwp_ajax_npdata_fetchnova-poshta-ttn.php:107
authwp_ajax_npdata_fetchwhnova-poshta-ttn.php:136
noprivwp_ajax_npdata_fetchwhnova-poshta-ttn.php:137
authwp_ajax_novaposhta_updbasesnpnova-poshta-ttn.php:165
noprivwp_ajax_novaposhta_updbasesnpnova-poshta-ttn.php:166
authwp_ajax_my_actionfogetnpshippngcostnova-poshta-ttn.php:188
noprivwp_ajax_my_actionfogetnpshippngcostnova-poshta-ttn.php:189
authwp_ajax_actionMrkvNpGetPostomatCostnova-poshta-ttn.php:265
noprivwp_ajax_actionMrkvNpGetPostomatCostnova-poshta-ttn.php:266
authwp_ajax_actionMrkvNpGetAddressCostnova-poshta-ttn.php:341
noprivwp_ajax_actionMrkvNpGetAddressCostnova-poshta-ttn.php:342
authwp_ajax_my_action_for_wc_get_chosen_method_idsnova-poshta-ttn.php:703
noprivwp_ajax_my_action_for_wc_get_chosen_method_idsnova-poshta-ttn.php:704
authwp_ajax_mrkv_np_remove_noticenova-poshta-ttn.php:890
noprivwp_ajax_mrkv_np_remove_noticenova-poshta-ttn.php:891
WordPress Hooks 91
actionadmin_enqueue_scriptsadmin\class-morkvanp-plugin-admin.php:13
actionadmin_noticesadmin\class-morkvanp-plugin-admin.php:14
actionwoocommerce_after_calculate_totalsclasses\Calculator.php:34
actionwoocommerce_calculated_shippingclasses\Calculator.php:35
filterwoocommerce_shipping_calculator_enable_postcodeclasses\Calculator.php:56
filterwoocommerce_checkout_fieldsclasses\Checkout.php:44
filterwoocommerce_billing_fieldsclasses\Checkout.php:46
filterwoocommerce_shipping_fieldsclasses\Checkout.php:47
actionwoocommerce_checkout_processclasses\Checkout.php:49
actionwoocommerce_checkout_update_order_metaclasses\Checkout.php:50
actionwoocommerce_thankyouclasses\Checkout.php:52
filterwoocommerce_cart_shipping_packagesclasses\Checkout.php:54
filternova_poshta_disable_default_fieldsclasses\Checkout.php:56
filternova_poshta_disable_nova_poshta_fieldsclasses\Checkout.php:57
filterdefault_checkout_billing_nova_poshta_regionclasses\Checkout.php:59
filterdefault_checkout_billing_nova_poshta_cityclasses\Checkout.php:60
filterdefault_checkout_billing_nova_poshta_warehouseclasses\Checkout.php:61
filterdefault_checkout_billing_nova_poshta_streetclasses\Checkout.php:62
filterdefault_checkout_shipping_nova_poshta_regionclasses\Checkout.php:63
filterdefault_checkout_shipping_nova_poshta_cityclasses\Checkout.php:64
filterdefault_checkout_shipping_nova_poshta_warehouseclasses\Checkout.php:65
actionwoocommerce_admin_order_data_after_billing_addressclasses\Checkout.php:67
actionwoocommerce_admin_order_data_after_billing_addressclasses\Checkout.php:68
actionwoocommerce_admin_order_data_after_billing_addressclasses\Checkout.php:69
actionwoocommerce_admin_order_data_after_billing_addressclasses\Checkout.php:70
filterwoocommerce_checkout_fieldsclasses\CheckoutAddress.php:45
filterwoocommerce_default_address_fieldsclasses\CheckoutAddress.php:46
actionwoocommerce_checkout_processclasses\CheckoutAddress.php:48
actionwoocommerce_checkout_update_order_metaclasses\CheckoutAddress.php:49
actionwoocommerce_admin_order_data_after_billing_addressclasses\CheckoutAddress.php:51
actionwoocommerce_admin_order_data_after_billing_addressclasses\CheckoutAddress.php:52
actionwoocommerce_admin_order_data_after_billing_addressclasses\CheckoutAddress.php:53
actionwoocommerce_admin_order_data_after_shipping_addressclasses\CheckoutAddress.php:54
actionadmin_noticesclasses\DatabaseSync.php:327
filterwoocommerce_cart_shipping_method_full_labelclasses\WC_NovaPoshtaAddress_Shipping_Method.php:141
filterwoocommerce_cart_shipping_method_full_labelclasses\WC_NovaPoshta_Shipping_Method.php:152
filterwoocommerce_cart_shipping_method_full_labelclasses\WC_NovaPoshta_Shipping_Method_Poshtomat.php:142
filterwpcf7_form_elementsfunctions.php:15
actionadmin_menuincludes\class-morkvanp-plugin-loader.php:135
actionadd_meta_boxesincludes\class-morkvanp-plugin-loader.php:136
actionadmin_initincludes\class-morkvanp-plugin-loader.php:137
filtermanage_woocommerce_page_wc-orders_columnsincludes\class-morkvanp-plugin-loader.php:140
actionmanage_woocommerce_page_wc-orders_custom_columnincludes\class-morkvanp-plugin-loader.php:141
filtermanage_edit-shop_order_columnsincludes\class-morkvanp-plugin-loader.php:144
actionmanage_shop_order_posts_custom_columnincludes\class-morkvanp-plugin-loader.php:145
filterwp_mail_from_nameincludes\class-morkvanp-plugin-loader.php:148
filterwoocommerce_account_orders_columnsincludes\class-morkvanp-plugin-loader.php:154
actionwoocommerce_my_account_my_orders_column_order-ship-toincludes\class-morkvanp-plugin-loader.php:156
actionplugins_loadedincludes\class-morkvanp-plugin.php:130
actionadmin_enqueue_scriptsincludes\class-morkvanp-plugin.php:142
actionadmin_enqueue_scriptsincludes\class-morkvanp-plugin.php:143
actionwp_enqueue_scriptsincludes\class-morkvanp-plugin.php:155
actionwp_enqueue_scriptsincludes\class-morkvanp-plugin.php:156
actioninitincludes\NovattnPoshta.php:32
actionplugins_loadedincludes\NovattnPoshta.php:33
actionplugins_loadedincludes\NovattnPoshta.php:34
actionwp_headincludes\NovattnPoshta.php:35
actionwp_enqueue_scriptsincludes\NovattnPoshta.php:36
actionwp_enqueue_scriptsincludes\NovattnPoshta.php:37
actionadmin_enqueue_scriptsincludes\NovattnPoshta.php:38
actionadmin_enqueue_scriptsincludes\NovattnPoshta.php:39
actionwoocommerce_shipping_initincludes\NovattnPoshta.php:42
filterwoocommerce_shipping_methodsincludes\NovattnPoshta.php:43
actionwoocommerce_shipping_initincludes\NovattnPoshtaAddress.php:29
filterwoocommerce_shipping_methodsincludes\NovattnPoshtaAddress.php:30
filterplugins_apiincludes\update-check.php:72
filtersite_transient_update_pluginsincludes\update-check.php:75
filtertransient_update_pluginsincludes\update-check.php:76
filterplugin_row_metaincludes\update-check.php:78
actionadmin_initincludes\update-check.php:79
actionall_admin_noticesincludes\update-check.php:80
filterupgrader_post_installincludes\update-check.php:83
actiondelete_site_transient_update_pluginsincludes\update-check.php:84
filtercron_schedulesincludes\update-check.php:103
actionadmin_initincludes\update-check.php:115
actionload-update-core.phpincludes\update-check.php:119
actionload-plugins.phpincludes\update-check.php:120
actionload-update.phpincludes\update-check.php:121
actionupgrader_process_completeincludes\update-check.php:123
actionplugins_loadedincludes\update-check.php:133
filterupgrader_source_selectionincludes\update-check.php:137
actionbefore_woocommerce_initnova-poshta-ttn.php:19
filterwoocommerce_package_ratesnova-poshta-ttn.php:517
filterwoocommerce_package_ratesnova-poshta-ttn.php:553
filterwoocommerce_package_ratesnova-poshta-ttn.php:570
actionwoocommerce_shipping_initnova-poshta-ttn.php:728
filterwoocommerce_shipping_methodsnova-poshta-ttn.php:737
actionbefore_woocommerce_initnova-poshta-ttn.php:829
actionadmin_noticesnova-poshta-ttn.php:833
actionupgrader_process_completenova-poshta-ttn.php:834
actionadmin_enqueue_stylespublic\class-morkvanp-plugin-public.php:55
Maintenance & Trust

Shipping for Nova Poshta Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedJul 30, 2025
PHP min version7.4
Downloads36K

Community Trust

Rating82/100
Number of ratings40
Active installs500
Alternatives

Shipping for Nova Poshta Alternatives

Woo NovaPoshta. Электронная накладная

Woo NovaPoshta. Электронная накладная

nova-poshta-declarations

A
85

Новая почта электронные накладные. Вывод электронных накладных в заказе (woocommerce).

10 No CVEs
Morkva UA Shipping

Morkva UA Shipping

morkva-ua-shipping

A
93

Нова Пошта по Україні та закордон, Укрпошта по Україні та закордон. Rozetka Delivery. Зручне створення ТТН. Друк ТТН. Сумісний з іншими плагінами.

800 2 CVEs
WC Ukraine Shipping – Integration of Nova Poshta and Ukrposhta for WooCommerce

WC Ukraine Shipping – Integration of Nova Poshta and Ukrposhta for WooCommerce

wc-ukr-shipping

A
100

Connect Nova Poshta, Ukrposhta, Meest or international delivery services with your store. Create labels, track orders and calculate rates in one place &hellip;

7K No CVEs
Shipping of Nova Poshta for WooCommerce

Shipping of Nova Poshta for WooCommerce

wc-nova-poshta-for-shop

A
100

Підключення служби доставки Нова Пошта до Вашого сайту (WooCommerce)

10 No CVEs
Shipping via Nova Poshta for WooCommerce

Shipping via Nova Poshta for WooCommerce

woo-nova-poshta-shipping

A
85

This plugin add ukrainian shipping method "Nova Poshta" to Woocommerce.

0 No CVEs
Developer Profile

Shipping for Nova Poshta Developer Profile

Ihor Kit

14 plugins · 3K total installs

93
trust score
Avg Security Score
98/100
Avg Patch Time
11 days
View full developer profile
Detection Fingerprints

How We Detect Shipping for Nova Poshta

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/nova-poshta-ttn/assets/css/nova-poshta-admin.css/wp-content/plugins/nova-poshta-ttn/assets/css/nova-poshta-frontend.css/wp-content/plugins/nova-poshta-ttn/assets/js/nova-poshta-admin.js/wp-content/plugins/nova-poshta-ttn/assets/js/nova-poshta-frontend.js/wp-content/plugins/nova-poshta-ttn/assets/js/nova-poshta-checkout.js
Script Paths
/wp-content/plugins/nova-poshta-ttn/assets/js/nova-poshta-admin.js/wp-content/plugins/nova-poshta-ttn/assets/js/nova-poshta-frontend.js/wp-content/plugins/nova-poshta-ttn/assets/js/nova-poshta-checkout.js
Version Parameters
nova-poshta-ttn/assets/css/nova-poshta-admin.css?ver=nova-poshta-ttn/assets/css/nova-poshta-frontend.css?ver=nova-poshta-ttn/assets/js/nova-poshta-admin.js?ver=nova-poshta-ttn/assets/js/nova-poshta-frontend.js?ver=nova-poshta-ttn/assets/js/nova-poshta-checkout.js?ver=

HTML / DOM Fingerprints

CSS Classes
mrkvnplastupdatemrkvnpajaxupdatenpcitylinpwhli
Data Attributes
data-np-city-refdata-np-warehouse-ref
JS Globals
npdata_fetchwh
FAQ

Frequently Asked Questions about Shipping for Nova Poshta