WP-Safety

PostaPanduri Security & Risk Analysis

wordpress.org/plugins/postapanduri

Livrarionline is a complete online ERP solution for courier services & distribution companies.

30 active installs v2.1.4 PHP 5.5.0+ WP 5.0+ Updated Jul 4, 2025
ecommercepachetomatpostapanduri
98
A · Safe
CVEs total1
Unpatched0
Last CVEJun 12, 2025
Plugin page Download
Safety Verdict

Is PostaPanduri Safe to Use in 2026?

Generally Safe

Score 98/100

PostaPanduri has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Jun 12, 2025Updated 9mo ago
Risk Assessment

The "postapanduri" v2.1.4 plugin exhibits a concerning security posture, primarily due to a significantly large and unprotected attack surface. With 15 AJAX handlers, all of which lack authentication checks, an attacker could potentially exploit these entry points without prior authorization. While the plugin shows a decent effort in using prepared statements for SQL queries (81%), the presence of one unsanitized path identified in taint analysis, even if not classified as critical or high severity, warrants attention. Furthermore, the plugin has a history of a high-severity vulnerability related to SQL injection, indicating a past weakness that could resurface if not adequately addressed in subsequent development.

While the plugin demonstrates some good practices like a substantial number of nonce checks (10) and capability checks (5), these are overshadowed by the unprotected AJAX endpoints. The 43% of output escaping also suggests room for improvement in preventing potential cross-site scripting (XSS) vulnerabilities. The past high-severity SQL injection vulnerability is a significant red flag, even though it's currently patched. This history, combined with the large number of unprotected AJAX handlers, presents a substantial risk to websites using this plugin. A balanced conclusion would be that while some security fundamentals are present, the plugin's exposed attack surface and past vulnerability history create a significant risk profile.

Key Concerns

  • 15 unprotected AJAX handlers
  • 1 unsanitized taint flow
  • 43% properly escaped output
  • 1 historical high severity CVE (SQLi)
  • 5 capability checks found
  • 10 nonce checks found
Vulnerabilities
1

PostaPanduri Security Vulnerabilities

CVEs by Year

1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1

1 total CVE

CVE-2025-49452high · 7.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

PostaPanduri <= 2.1.3 - Unauthenticated SQL Injection

Jun 12, 2025 Patched in 2.1.4 (27d)
Code Analysis
Analyzed Mar 16, 2026

PostaPanduri Code Analysis

Dangerous Functions
0
Raw SQL Queries
5
22 prepared
Unescaped Output
117
89 escaped
Nonce Checks
10
Capability Checks
5
File Operations
6
External Requests
0
Bundled Libraries
1

Bundled Libraries

Select2

SQL Query Safety

81% prepared27 total queries

Output Escaping

43% escaped206 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

4 flows1 with unsanitized paths
pp_product_display_smartlocker_info (inc\front\class-front.php:444)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
15 unprotected

PostaPanduri Attack Surface

Entry Points15
Unprotected15

AJAX Handlers 15

authwp_ajax_genereaza_awbinc\core\class-init.php:150
authwp_ajax_cancel_awbinc\core\class-init.php:151
authwp_ajax_tracking_awbinc\core\class-init.php:152
authwp_ajax_ajax_get_judeteinc\core\class-init.php:179
noprivwp_ajax_ajax_get_judeteinc\core\class-init.php:180
authwp_ajax_ajax_get_localitatiinc\core\class-init.php:182
noprivwp_ajax_ajax_get_localitatiinc\core\class-init.php:183
authwp_ajax_ajax_load_mapinc\core\class-init.php:184
noprivwp_ajax_ajax_load_mapinc\core\class-init.php:185
authwp_ajax_ajax_get_pachetomateinc\core\class-init.php:186
noprivwp_ajax_ajax_get_pachetomateinc\core\class-init.php:187
authwp_ajax_ajax_get_pachetomatinc\core\class-init.php:188
noprivwp_ajax_ajax_get_pachetomatinc\core\class-init.php:189
authwp_ajax_ajax_set_pachetomat_defaultinc\core\class-init.php:205
noprivwp_ajax_ajax_set_pachetomat_defaultinc\core\class-init.php:206
WordPress Hooks 34
actionadmin_menuinc\admin\class-settingspage.php:23
actionadmin_initinc\admin\class-settingspage.php:24
actionadmin_noticesinc\core\class-init.php:58
actionplugins_loadedinc\core\class-init.php:100
actionwoocommerce_shipping_initinc\core\class-init.php:106
actioninitinc\core\class-init.php:107
filterwoocommerce_shipping_methodsinc\core\class-init.php:121
actionadmin_initinc\core\class-init.php:139
actionadmin_enqueue_scriptsinc\core\class-init.php:143
actionadmin_enqueue_scriptsinc\core\class-init.php:144
actionwoocommerce_order_status_changedinc\core\class-init.php:153
actionadd_meta_boxesinc\core\class-init.php:155
actionbefore_woocommerce_initinc\core\class-init.php:157
actionwp_enqueue_scriptsinc\core\class-init.php:176
actionwp_enqueue_scriptsinc\core\class-init.php:177
actionwoocommerce_after_shipping_rateinc\core\class-init.php:191
actionwoocommerce_checkout_update_order_reviewinc\core\class-init.php:192
actionwoocommerce_before_shipping_calculatorinc\core\class-init.php:193
actionwoocommerce_checkout_update_order_reviewinc\core\class-init.php:194
actionwoocommerce_view_orderinc\core\class-init.php:195
filterwoocommerce_api_wc_postapanduri_issninc\core\class-init.php:197
actionwoocommerce_after_checkout_validationinc\core\class-init.php:199
actionwoocommerce_checkout_update_order_metainc\core\class-init.php:200
actionwoocommerce_thankyouinc\core\class-init.php:201
actionwoocommerce_view_orderinc\core\class-init.php:202
actionbefore_woocommerce_payinc\core\class-init.php:203
filterwoocommerce_cart_shipping_method_full_labelinc\core\class-init.php:209
actioninitinc\core\class-init.php:221
filterquery_varsinc\core\class-init.php:222
actiontemplate_includeinc\core\class-init.php:223
actionpostapanduri_generate_sitemaps_eventinc\core\class-init.php:224
filterwoocommerce_available_payment_gatewaysinc\core\class-wc-postapanduri.php:73
filterwoocommerce_statesinc\core\class-wc-postapanduri.php:74
filterwc_order_statusesinc\core\class-wc-postapanduri.php:75

Scheduled Events 1

postapanduri_generate_sitemaps_event
Maintenance & Trust

PostaPanduri Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedJul 4, 2025
PHP min version5.5.0
Downloads2K

Community Trust

Rating0/100
Number of ratings0
Active installs30
Alternatives

PostaPanduri Alternatives

WooCommerce

WooCommerce

woocommerce

A
87

Everything you need to launch an online store in days and keep it growing for years. From your first sale to millions in revenue, Woo is with you.

7.0M 43 CVEs
Popup Builder & Popup Maker for WordPress – OptinMonster Email Marketing and Lead Generation

Popup Builder & Popup Maker for WordPress – OptinMonster Email Marketing and Lead Generation

optinmonster

A
96

🤩 Make popups & optin forms to get more email newsletter subscribers, leads, and sales - #1 most popular popup builder plugin! 🚀

1.0M 6 CVEs
WooCommerce PayPal Payments

WooCommerce PayPal Payments

woocommerce-paypal-payments

A
100

PayPal's latest payment processing solution. Accept PayPal, Pay Later, credit/debit cards, alternative digital wallets and bank accounts.

800K 1 CVE
Mailchimp for WooCommerce

Mailchimp for WooCommerce

mailchimp-for-woocommerce

A
99

Connect your store to your Mailchimp audience to track sales, create targeted emails, send abandoned cart emails, and more.

300K 2 CVEs
PrettyLinks – Affiliate Links, Link Branding, Link Tracking, Marketing and Stripe Payments Plugin

PrettyLinks – Affiliate Links, Link Branding, Link Tracking, Marketing and Stripe Payments Plugin

pretty-link

A
90

🌠 The best WordPress link management, branding, tracking, sharing and payments plugin. Easily make pretty & trackable shortlinks. 🔗

300K 8 CVEs
Developer Profile

PostaPanduri Developer Profile

Adrian Ladó

2 plugins · 730 total installs

78
trust score
Avg Security Score
99/100
Avg Patch Time
114 days
View full developer profile
Detection Fingerprints

How We Detect PostaPanduri

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/postapanduri/inc/admin/css/postapanduri-admin.css/wp-content/plugins/postapanduri/inc/admin/js/postapanduri-admin-ajax.js/wp-content/plugins/postapanduri/inc/admin/js/postapanduri-admin.js
Script Paths
/wp-content/plugins/postapanduri/inc/admin/js/postapanduri-admin-ajax.js/wp-content/plugins/postapanduri/inc/admin/js/postapanduri-admin.js
Version Parameters
postapanduri-admin.css?ver=postapanduri-admin-ajax.js?ver=postapanduri-admin.js?ver=

HTML / DOM Fingerprints

Data Attributes
data-nonce-url
JS Globals
ppaadmin
FAQ

Frequently Asked Questions about PostaPanduri