WP-Safety

افزونه حمل و نقل ووکامرس | پست پیشتاز، تیپاکس و پیک موتوری Security & Risk Analysis

wordpress.org/plugins/persian-woocommerce-shipping

ارسال مرسوله های ووکامرس از طریق پست پیشتاز، تسپاکس و پیک موتوری با محاسبه خودکار تعرفه

20K active installs v4.4.1 PHP 7.4+ WP 6.8+ Updated Feb 17, 2026
%d9%88%d9%88%da%a9%d8%a7%d9%85%d8%b1%d8%b3-%d9%81%d8%a7%d8%b1%d8%b3%db%8c%d9%88%d9%88%da%a9%d8%a7%d9%85%d8%b3%d9%be%d8%b3%d8%aa%d8%aa%db%8c%d9%be%d8%a7%da%a9%d8%b3%d8%ad%d9%85%d9%84-%d9%88-%d9%86%d9%82%d9%84
99
A · Safe
CVEs total1
Unpatched0
Last CVEMar 27, 2025
Plugin page Download
Safety Verdict

Is افزونه حمل و نقل ووکامرس | پست پیشتاز، تیپاکس و پیک موتوری Safe to Use in 2026?

Generally Safe

Score 99/100

افزونه حمل و نقل ووکامرس | پست پیشتاز، تیپاکس و پیک موتوری has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Mar 27, 2025Updated 1mo ago
Risk Assessment

The Persian WooCommerce Shipping plugin v4.4.1 presents a mixed security posture. While it demonstrates some good practices such as a high percentage of prepared SQL statements and properly escaped output, significant concerns arise from its attack surface. A notable number of AJAX handlers (5 out of 8) and a REST API route lack authentication or permission checks, creating potential entry points for unauthorized actions. The presence of a `create_function` usage is also a red flag, as this is considered a dangerous function in PHP and can be a vector for code injection if not handled with extreme care. Taint analysis did not reveal critical or high severity flows, which is a positive indicator, however, the 5 analyzed flows all involved unsanitized paths, suggesting potential risks that may not have reached critical levels in this analysis but warrant attention.

The plugin's vulnerability history, despite having one medium-severity CVE in the past related to Cross-site Scripting, shows that there are currently no unpatched vulnerabilities. This indicates that past issues have been addressed. However, the presence of even one CVE, especially a medium one, highlights the importance of robust security practices. The overall conclusion is that while the plugin has addressed past issues and shows some good coding habits, the significant number of unprotected entry points and the use of a dangerous function represent areas of notable risk that should be prioritized for remediation.

Key Concerns

  • Unprotected AJAX handlers
  • Unprotected REST API route
  • Use of dangerous function (create_function)
  • Flows with unsanitized paths
  • SQL queries without prepared statements
  • Low number of nonce checks
  • Low number of capability checks
Vulnerabilities
1

افزونه حمل و نقل ووکامرس | پست پیشتاز، تیپاکس و پیک موتوری Security Vulnerabilities

CVEs by Year

1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-30898medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

persian-woocommerce-shipping <= 4.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Mar 27, 2025 Patched in 4.2.4 (7d)
Code Analysis
Analyzed Mar 16, 2026

افزونه حمل و نقل ووکامرس | پست پیشتاز، تیپاکس و پیک موتوری Code Analysis

Dangerous Functions
1
Raw SQL Queries
4
9 prepared
Unescaped Output
40
124 escaped
Nonce Checks
2
Capability Checks
4
File Operations
4
External Requests
6
Bundled Libraries
0

Dangerous Functions Found

create_function$callback = create_function( '', 'echo "' . str_replace( '"', '\"', $section['desc'] ) . '";'includes\admin\class-settings.php:113

SQL Query Safety

69% prepared13 total queries

Output Escaping

76% escaped164 total outputs
Data Flows
5 unsanitized

Data Flow Analysis

5 flows5 with unsanitized paths
nabik_edit_state_callback (includes\admin\class-city.php:143)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
6 unprotected

افزونه حمل و نقل ووکامرس | پست پیشتاز، تیپاکس و پیک موتوری Attack Surface

Entry Points10
Unprotected6

AJAX Handlers 8

authwp_ajax_pws_install_citiesincludes\class-install.php:15
authwp_ajax_pws_dismiss_noticeincludes\class-notice.php:14
authwp_ajax_pws_update_noticeincludes\class-notice.php:15
authwp_ajax_mahdiy_load_citiesincludes\class-pws.php:80
noprivwp_ajax_mahdiy_load_citiesincludes\class-pws.php:81
authwp_ajax_mahdiy_load_districtsincludes\class-pws.php:82
noprivwp_ajax_mahdiy_load_districtsincludes\class-pws.php:83
authwp_ajax_pws_change_order_statusincludes\class-status.php:69

REST API Routes 1

POST/wp-json/pws/map/distance/maps\class-map-service.php:571

Shortcodes 1

[pws_map] maps\class-map-service.php:408
WordPress Hooks 104
actionadmin_menuincludes\admin\class-admin.php:14
actionadmin_headincludes\admin\class-admin.php:15
actionadmin_enqueue_scriptsincludes\admin\class-admin.php:16
filterparent_fileincludes\admin\class-admin.php:18
filterwoocommerce_get_sections_shippingincludes\admin\class-admin.php:19
filterwoocommerce_get_settings_shippingincludes\admin\class-admin.php:20
actionadmin_initincludes\admin\class-admin.php:80
filteruser_has_capincludes\admin\class-city.php:21
filterstate_city_row_actionsincludes\admin\class-city.php:22
filterget_edit_term_linkincludes\admin\class-city.php:23
actiondelete_state_cityincludes\admin\class-city.php:26
actionedited_state_cityincludes\admin\class-city.php:27
actioncreated_state_cityincludes\admin\class-city.php:28
actionadmin_menuincludes\admin\class-city.php:31
actionstate_city_pre_add_formincludes\admin\class-city.php:32
filteredit_state_city_per_pageincludes\admin\class-city.php:36
actionadmin_footerincludes\admin\class-city.php:37
filterget_termsincludes\admin\class-city.php:38
filterget_edit_term_linkincludes\admin\class-city.php:39
actionadmin_enqueue_scriptsincludes\admin\class-settings.php:36
actionadmin_initincludes\admin\class-settings.php:37
actionadmin_initincludes\class-install.php:13
actionadmin_noticesincludes\class-install.php:14
actionadd_meta_boxesincludes\class-map.php:37
actionwoocommerce_admin_order_data_after_billing_addressincludes\class-map.php:38
actionwoocommerce_process_shop_order_metaincludes\class-map.php:39
actionwoocommerce_order_details_after_customer_detailsincludes\class-map.php:40
filteradmin_headincludes\class-methods.php:8
filterwoocommerce_shipping_method_add_rateincludes\class-methods.php:9
filterwoocommerce_order_item_get_formatted_meta_dataincludes\class-methods.php:10
actionadmin_noticesincludes\class-notice.php:13
actionwoocommerce_shipping_initincludes\class-pws.php:84
actionwoocommerce_checkout_update_order_reviewincludes\class-pws.php:85
actionwoocommerce_admin_field_pws_single_countryincludes\class-pws.php:86
actionwp_enqueue_scriptsincludes\class-pws.php:87
actionadmin_enqueue_scriptsincludes\class-pws.php:88
filterwoocommerce_shipping_methodsincludes\class-pws.php:91
filterwoocommerce_get_settings_generalincludes\class-pws.php:92
filterwoocommerce_statesincludes\class-pws.php:93
filtermanage_edit-state_city_columnsincludes\class-pws.php:94
filtermanage_state_city_custom_columnincludes\class-pws.php:95
filterwoocommerce_checkout_fieldsincludes\class-pws.php:96
filterwoocommerce_checkout_update_order_metaincludes\class-pws.php:97
filterwoocommerce_checkout_processincludes\class-pws.php:98
filterwoocommerce_form_field_billing_cityincludes\class-pws.php:99
filterwoocommerce_form_field_shipping_cityincludes\class-pws.php:100
filterwoocommerce_form_field_billing_districtincludes\class-pws.php:101
filterwoocommerce_form_field_shipping_districtincludes\class-pws.php:102
filterwoocommerce_cart_shipping_packagesincludes\class-pws.php:103
filterwoocommerce_cart_shipping_method_full_labelincludes\class-pws.php:104
filterwoocommerce_localisation_address_formatsincludes\class-pws.php:105
filterwoocommerce_order_formatted_shipping_addressincludes\class-pws.php:106
filterwoocommerce_order_formatted_billing_addressincludes\class-pws.php:110
filterwoocommerce_formatted_address_replacementsincludes\class-pws.php:114
filterwoocommerce_my_account_my_address_formatted_addressincludes\class-pws.php:118
filterwoocommerce_checkout_get_valueincludes\class-pws.php:122
actionwoocommerce_order_status_changedincludes\class-sms.php:18
actionpws_save_order_post_barcodeincludes\class-sms.php:19
actioninitincludes\class-status.php:51
filterwc_order_statusesincludes\class-status.php:52
filterwoocommerce_reports_order_statusesincludes\class-status.php:53
filterwoocommerce_order_is_paid_statusesincludes\class-status.php:54
filterbulk_actions-edit-shop_orderincludes\class-status.php:55
filterbulk_actions-woocommerce_page_wc-ordersincludes\class-status.php:56
actionadmin_enqueue_scriptsincludes\class-status.php:62
actionadd_meta_boxesincludes\class-status.php:65
actionsave_postincludes\class-status.php:66
actionmanage_posts_extra_tablenavincludes\class-status.php:67
actionwoocommerce_order_list_table_extra_tablenavincludes\class-status.php:68
filtercron_schedulesincludes\class-status.php:70
actionwpincludes\class-status.php:71
actionpws_check_statusincludes\class-status.php:72
actionwoocommerce_orders_table_query_clausesincludes\class-status.php:73
filterget_ancestorsincludes\class-tapin.php:44
actionadmin_bar_menuincludes\class-tools.php:15
filterwoocommerce_package_ratesincludes\class-tools.php:19
filterwoocommerce_package_ratesincludes\class-tools.php:23
filterwoocommerce_new_order_note_dataincludes\class-tools.php:26
filterpws_statesincludes\class-tools.php:27
filterpws_citiesincludes\class-tools.php:28
actionadmin_initincludes\class-version.php:436
actionwp_loadedmaps\class-map-service.php:53
actionwoocommerce_cart_loaded_from_sessionmaps\class-map-service.php:58
actioninitmaps\class-map-service.php:64
actionwp_enqueue_scriptsmaps\class-map-service.php:115
actionadmin_enqueue_scriptsmaps\class-map-service.php:116
actionrest_api_initmaps\class-map-service.php:119
actioninitmaps\class-map-service.php:122
filterwoocommerce_checkout_fieldsmaps\class-map-service.php:126
filterwoocommerce_checkout_get_valuemaps\class-map-service.php:127
actionwoocommerce_checkout_create_ordermaps\class-map-service.php:130
filterpws_map_store_marker_imagemaps\class-map-service.php:134
filterpws_map_user_marker_imagemaps\class-map-service.php:135
filterpws_map_user_marker_colormaps\class-map-service.php:136
filterpws_map_store_marker_colormaps\class-map-service.php:137
actionwoocommerce_checkout_processmaps\class-map-service.php:141
actionwp_enqueue_scriptsmaps\class-mapp.php:25
actionadmin_enqueue_scriptsmaps\class-mapp.php:26
actionwp_enqueue_scriptsmaps\class-neshan.php:27
actionadmin_enqueue_scriptsmaps\class-neshan.php:28
actionwp_enqueue_scriptsmaps\class-osm.php:17
actionadmin_enqueue_scriptsmaps\class-osm.php:18
actionwoocommerce_loadedwoocommerce-shipping.php:41
actionbefore_woocommerce_initwoocommerce-shipping.php:66

Scheduled Events 1

pws_check_status
Maintenance & Trust

افزونه حمل و نقل ووکامرس | پست پیشتاز، تیپاکس و پیک موتوری Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 17, 2026
PHP min version7.4
Downloads698K

Community Trust

Rating90/100
Number of ratings102
Active installs20K
Alternatives

افزونه حمل و نقل ووکامرس | پست پیشتاز، تیپاکس و پیک موتوری Alternatives

AWSA Shipping – Advanced Shipping for Woocommerce and Dokan

AWSA Shipping – Advanced Shipping for Woocommerce and Dokan

awsa-shipping

C
63

روش های حمل و نقل با تنظیمات پیشرفته

90 1 unpatched
ووکامرس فارسی

ووکامرس فارسی

persian-woocommerce

A
99

بسته ووکامرس فارسی به راحتی سیستم فروشگاه ساز ووکامرس را فارسی می کند و امکانات جدید متناسب با ایران را به ووکامرس اضافه میکند.

100K 2 CVEs
افزونه پیامک ووکامرس Persian WooCommerce SMS

افزونه پیامک ووکامرس Persian WooCommerce SMS

persian-woocommerce-sms

B
72

افزونه کامل و حرفه ای برای اطلاع رسانی پیامکی سفارشات و رویداد های محصولات ووکامرس

50K 1 unpatched
Zify Gateway

Zify Gateway

zify-gateway

A
100

افزونه درگاه پرداخت زیفای برای ووکامرس

0 No CVEs
پارسی دیت – Parsi Date

پارسی دیت – Parsi Date

wp-parsidate

A
99

Persian date support for WordPress

100K 2 CVEs
Developer Profile

افزونه حمل و نقل ووکامرس | پست پیشتاز، تیپاکس و پیک موتوری Developer Profile

Mahdi Yousefi [MahdiY]

10 plugins · 27K total installs

92
trust score
Avg Security Score
89/100
Avg Patch Time
7 days
View full developer profile
Detection Fingerprints

How We Detect افزونه حمل و نقل ووکامرس | پست پیشتاز، تیپاکس و پیک موتوری

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/persian-woocommerce-shipping/assets/css/admin.css
Version Parameters
persian-woocommerce-shipping/assets/css/admin.css?ver=

HTML / DOM Fingerprints

Data Attributes
data-pws-pro-url
FAQ

Frequently Asked Questions about افزونه حمل و نقل ووکامرس | پست پیشتاز، تیپاکس و پیک موتوری