WP-Safety

Plugin Ongkos Kirim JNE Tiki Sicepat Wahana J&T POS for Woocommerce Security & Risk Analysis

wordpress.org/plugins/ongkoskirim-id

OngkosKirim.id merupakan plugin ongkos kirim woocommerce dengan fitur terkomplit dan ekspedisi terlengkap, meliputi JNE, TIKI, POS, J&T, Sicepat, …

2K active installs v1.0.6 PHP + WP 3.0.1+ Updated Apr 15, 2020
jnejntshippingsicepatwahana
63
C · Use Caution
CVEs total1
Unpatched1
Last CVESep 22, 2025
Plugin page Download
Safety Verdict

Is Plugin Ongkos Kirim JNE Tiki Sicepat Wahana J&T POS for Woocommerce Safe to Use in 2026?

Use With Caution

Score 63/100

Plugin Ongkos Kirim JNE Tiki Sicepat Wahana J&T POS for Woocommerce has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Sep 22, 2025Updated 5yr ago
Risk Assessment

The ongkoskirim-id plugin v1.0.6 exhibits a concerning security posture, primarily due to a significant lack of authorization checks on its entry points. All 6 identified AJAX handlers are exposed without any authentication or capability checks, creating a wide attack surface for unauthenticated users. While the plugin does not appear to use dangerous functions or raw SQL queries, the high percentage of improperly escaped output (87%) is a notable weakness that could lead to cross-site scripting (XSS) vulnerabilities. The taint analysis, while showing no critical or high-severity flows, does indicate 5 flows with unsanitized paths, which, combined with the lack of output escaping, warrants attention. Furthermore, the plugin has a history of known vulnerabilities, including one currently unpatched medium-severity CVE. This suggests a pattern of security oversights, with missing authorization being a recurring issue. Despite the absence of raw SQL and dangerous functions, the numerous unprotected AJAX endpoints, poor output escaping, and past vulnerability history make this plugin a moderate to high risk.

Key Concerns

  • Unprotected AJAX handlers
  • Unescaped output
  • Unpatched CVE
  • Flows with unsanitized paths
  • Missing capability checks
Vulnerabilities
1

Plugin Ongkos Kirim JNE Tiki Sicepat Wahana J&T POS for Woocommerce Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-57949medium · 5.4Missing Authorization

Ongkoskirim.id <= 1.0.6 - Missing Authorization

Sep 22, 2025Unpatched
Code Analysis
Analyzed Mar 16, 2026

Plugin Ongkos Kirim JNE Tiki Sicepat Wahana J&T POS for Woocommerce Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
89
13 escaped
Nonce Checks
3
Capability Checks
0
File Operations
0
External Requests
4
Bundled Libraries
0

Output Escaping

13% escaped102 total outputs
Data Flows
5 unsanitized

Data Flow Analysis

5 flows5 with unsanitized paths
activate_license (admin\class-ongkoskirim-id-admin.php:184)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
6 unprotected

Plugin Ongkos Kirim JNE Tiki Sicepat Wahana J&T POS for Woocommerce Attack Surface

Entry Points6
Unprotected6

AJAX Handlers 6

authwp_ajax_ongkoskirim_id_activate_licenseincludes\class-ongkoskirim-id.php:164
authwp_ajax_ongkoskirim_id_deactivate_licenseincludes\class-ongkoskirim-id.php:165
authwp_ajax_get_citiesincludes\class-ongkoskirim-id.php:194
noprivwp_ajax_get_citiesincludes\class-ongkoskirim-id.php:195
authwp_ajax_get_districtsincludes\class-ongkoskirim-id.php:197
noprivwp_ajax_get_districtsincludes\class-ongkoskirim-id.php:198
WordPress Hooks 21
actionplugins_loadedincludes\class-ongkoskirim-id.php:145
actionadmin_enqueue_scriptsincludes\class-ongkoskirim-id.php:160
actionadmin_enqueue_scriptsincludes\class-ongkoskirim-id.php:161
actionadmin_menuincludes\class-ongkoskirim-id.php:162
actionadmin_noticesincludes\class-ongkoskirim-id.php:163
actionwp_enqueue_scriptsincludes\class-ongkoskirim-id.php:184
actionwp_enqueue_scriptsincludes\class-ongkoskirim-id.php:185
actionwoocommerce_shipping_initincludes\class-ongkoskirim-id.php:187
filterwoocommerce_shipping_methodsincludes\class-ongkoskirim-id.php:188
filterwoocommerce_billing_fieldsincludes\class-ongkoskirim-id.php:190
filterwoocommerce_shipping_fieldsincludes\class-ongkoskirim-id.php:191
filterwoocommerce_checkout_fieldsincludes\class-ongkoskirim-id.php:192
filterwoocommerce_checkout_update_order_reviewincludes\class-ongkoskirim-id.php:200
actionwoocommerce_checkout_update_order_metaincludes\class-ongkoskirim-id.php:202
filterwoocommerce_shipping_calculator_enable_postcodeincludes\class-ongkoskirim-id.php:204
filterwoocommerce_my_account_my_address_formatted_addressincludes\class-ongkoskirim-id.php:205
filterwoocommerce_process_myaccount_field_billing_cityincludes\class-ongkoskirim-id.php:208
filterwoocommerce_process_myaccount_field_shipping_cityincludes\class-ongkoskirim-id.php:209
actionwoocommerce_cart_calculate_feesincludes\class-ongkoskirim-id.php:212
actionwoocommerce_review_order_after_cart_contentsincludes\class-ongkoskirim-id.php:215
actionplugins_loadedincludes\class-ongkoskirim-id.php:217
Maintenance & Trust

Plugin Ongkos Kirim JNE Tiki Sicepat Wahana J&T POS for Woocommerce Maintenance & Trust

Maintenance Signals

WordPress version tested4.9.29
Last updatedApr 15, 2020
PHP min version
Downloads93K

Community Trust

Rating78/100
Number of ratings11
Active installs2K
Alternatives

Plugin Ongkos Kirim JNE Tiki Sicepat Wahana J&T POS for Woocommerce Alternatives

Epeken All Kurir for Woocommerce

Epeken All Kurir for Woocommerce

epeken-all-kurir

C
55

Epeken All Kurir is a wordpress plugin for woocommerce to enable shipping method featuring many shipping companies for Indonesia e-commerce.

500 2 unpatched
AgenWebsite Shipping – Plugin Ongkos Kirim & Generate Resi Otomatis Semua Kurir Indonesia

AgenWebsite Shipping – Plugin Ongkos Kirim & Generate Resi Otomatis Semua Kurir Indonesia

woocommerce-jne

A
100

Otomatisasi pengiriman WooCommerce dengan kurir terpercaya Indonesia. Tarif real-time, pelacakan instan, cetak resi otomatis - tanpa hitung manual!

300 No CVEs
JNE Shipping

JNE Shipping

jne-shipping

A
100

Plugin JNE Shipping Indonesia yang khusus untuk diintegrasikan dengan plugin WP-Ecommerce.

10 No CVEs
JNE Shipping – Plugin Ongkos Kirim Resmi Untuk WooCommerce

JNE Shipping – Plugin Ongkos Kirim Resmi Untuk WooCommerce

jne-shipping-official

A
100

Plugin pengiriman JNE resmi untuk WooCommerce di Indonesia. Menyediakan tarif real-time, pembuatan AWB, dan pelacakan pengiriman.

10 No CVEs
Weight Based Shipping Table Rate for WooCommerce – Flexible Shipping

Weight Based Shipping Table Rate for WooCommerce – Flexible Shipping

flexible-shipping

A
99

Weight based shipping methods for WooCommerce. Flexible shipping with table rate rules by cart weight and order value. Accurate rates at checkout.

100K 2 CVEs
Developer Profile

Plugin Ongkos Kirim JNE Tiki Sicepat Wahana J&T POS for Woocommerce Developer Profile

oggix

1 plugin · 2K total installs

68
trust score
Avg Security Score
63/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Plugin Ongkos Kirim JNE Tiki Sicepat Wahana J&T POS for Woocommerce

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/ongkoskirim-id/admin/css/ongkoskirim-id-welcome-style.css/wp-content/plugins/ongkoskirim-id/admin/css/ongkoskirim-id-welcome-responsive.css/wp-content/plugins/ongkoskirim-id/admin/css/ongkoskirim-id-admin.css
Script Paths
/wp-content/plugins/ongkoskirim-id/admin/js/ongkoskirim-id-admin.js
Version Parameters
ongkoskirim-id-admin.css?ver=ongkoskirim-id-admin.js?ver=ongkoskirim-id-welcome-style.css?ver=ongkoskirim-id-welcome-responsive.css?ver=

HTML / DOM Fingerprints

Data Attributes
data-urldata-licensedata-toggledata-target
FAQ

Frequently Asked Questions about Plugin Ongkos Kirim JNE Tiki Sicepat Wahana J&T POS for Woocommerce