WP-Safety

Postcode Checkout – Postcode Validation Security & Risk Analysis

wordpress.org/plugins/postcode-checkout-postcode-validation

📦 Validate Customer Addresses in WooCommerce

10 active installs v3.0.9.1 PHP 8.1+ WP 6.0+ Updated Mar 11, 2026
addresscheckoutpostcodevalidationwoocommerce
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Download
Safety Verdict

Is Postcode Checkout – Postcode Validation Safe to Use in 2026?

Generally Safe

Score 100/100

Postcode Checkout – Postcode Validation has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 23d ago
Risk Assessment

The "postcode-checkout-postcode-validation" plugin version 3.0.9.1 presents a significant security risk due to its large attack surface with unprotected AJAX handlers. All 8 identified AJAX endpoints lack proper authentication and authorization checks, meaning any user, authenticated or not, could potentially trigger these actions. While the plugin demonstrates good practices in other areas, such as using prepared statements for all SQL queries and largely proper output escaping, these strengths are overshadowed by the critical vulnerability of unprotected AJAX endpoints. The absence of any recorded vulnerabilities in its history is positive, suggesting a potentially stable codebase, but it does not mitigate the immediate risks identified in the static analysis. The lack of capability checks and nonce checks on AJAX handlers further exacerbates the issue, leaving these entry points open to manipulation. This plugin requires immediate attention to secure its AJAX endpoints.

Key Concerns

  • 8 AJAX handlers without auth checks
  • 0 Nonce checks on AJAX handlers
  • 0 Capability checks on AJAX handlers
Vulnerabilities
None known

Postcode Checkout – Postcode Validation Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

Postcode Checkout – Postcode Validation Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
1
15 escaped
Nonce Checks
0
Capability Checks
0
File Operations
3
External Requests
7
Bundled Libraries
0

Output Escaping

94% escaped16 total outputs
Attack Surface
8 unprotected

Postcode Checkout – Postcode Validation Attack Surface

Entry Points8
Unprotected8

AJAX Handlers 8

authwp_ajax_pcav_autocompletecontrollers\postcode-checkout-address-validation-controller.php:42
noprivwp_ajax_pcav_autocompletecontrollers\postcode-checkout-address-validation-controller.php:43
authwp_ajax_pcav_detailscontrollers\postcode-checkout-address-validation-controller.php:45
noprivwp_ajax_pcav_detailscontrollers\postcode-checkout-address-validation-controller.php:46
authwp_ajax_pcav_pro6ppcontrollers\postcode-checkout-address-validation-controller.php:71
noprivwp_ajax_pcav_pro6ppcontrollers\postcode-checkout-address-validation-controller.php:72
authwp_ajax_pcav_nationalcontrollers\postcode-checkout-address-validation-controller.php:93
noprivwp_ajax_pcav_nationalcontrollers\postcode-checkout-address-validation-controller.php:94
WordPress Hooks 12
actionadmin_enqueue_scriptscontrollers\postcode-checkout-address-validation-controller.php:27
actionprofile_personal_optionscontrollers\postcode-checkout-address-validation-controller.php:119
actionwoocommerce_admin_order_data_after_billing_addresscontrollers\postcode-checkout-address-validation-controller.php:121
actionwoocommerce_admin_order_data_after_shipping_addresscontrollers\postcode-checkout-address-validation-controller.php:123
actionwpcontrollers\postcode-checkout-address-validation-controller.php:127
actionenqueue_block_assetscontrollers\postcode-checkout-address-validation-controller.php:130
actionwoocommerce_checkout_billingcontrollers\postcode-checkout-address-validation-controller.php:133
actionwoocommerce_before_edit_account_address_formcontrollers\postcode-checkout-address-validation-controller.php:134
actionwp_enqueue_scriptscontrollers\postcode-checkout-address-validation-controller.php:159
filterwoocommerce_get_settings_pagescontrollers\postcode-checkout-address-validation-controller.php:929
actionbefore_woocommerce_initpostcodecheckout-for-woo.php:87
filterplugin_row_metapostcodecheckout-for-woo.php:100
Maintenance & Trust

Postcode Checkout – Postcode Validation Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 11, 2026
PHP min version8.1
Downloads1K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Alternatives

Postcode Checkout – Postcode Validation Alternatives

Checkout Address AutoFill For WooCommerce

Checkout Address AutoFill For WooCommerce

checkout-address-autofill-for-woocommerce

A
85

Checkout Address AutoFill For WooCommerce is a WooCommerce add-on which allows your user to autofill both Billing and Shipping address fields in the c …

400 No CVEs
Spikkl Address Lookup

Spikkl Address Lookup

spikkl-address-lookup

A
85

Spikkl Address Lookup validates the Dutch postcode and street number combination during checkout and fills additional address values automatically.

30 No CVEs
KSA National Address Validator

KSA National Address Validator

ksa-national-address-validator

A
100

Validates KSA National Addresses during WooCommerce checkout using the OTO API.

10 No CVEs
Autocomplete Address and Location Picker for WooCommerce

Autocomplete Address and Location Picker for WooCommerce

autocomplete-address-and-location-picker-for-woocommerce

A
100

Improve your WooCommerce checkout flow with Google Places address autocomplete, geocoding, and location picker tools. Supports Classic Checkout and Ch …

2K No CVEs
Multi-Carrier Shippo Shipping Rates & Address Validation for WooCommerce

Multi-Carrier Shippo Shipping Rates & Address Validation for WooCommerce

wc-shippo-shipping

A
100

Multi-Carrier Shippo shipping plugin for WooCommerce displays live shipping rates at cart / checkout pages, validates shipping address.

2K No CVEs
Developer Profile

Postcode Checkout – Postcode Validation Developer Profile

CodeBrain BV

3 plugins · 620 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Postcode Checkout – Postcode Validation

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/postcode-checkout-postcode-validation/assets/css/pcav_admin.css/wp-content/plugins/postcode-checkout-postcode-validation/assets/css/pcav_checkout.css/wp-content/plugins/postcode-checkout-postcode-validation/assets/js/pcav_admin.js/wp-content/plugins/postcode-checkout-postcode-validation/assets/js/pcav_checkout.js/wp-content/plugins/postcode-checkout-postcode-validation/assets/js/pcav_common.js/wp-content/plugins/postcode-checkout-postcode-validation/assets/js/pcav_international.js
Version Parameters
postcode-checkout-postcode-validation/assets/css/pcav_admin.css?ver=postcode-checkout-postcode-validation/assets/css/pcav_checkout.css?ver=postcode-checkout-postcode-validation/assets/js/pcav_admin.js?ver=postcode-checkout-postcode-validation/assets/js/pcav_checkout.js?ver=postcode-checkout-postcode-validation/assets/js/pcav_common.js?ver=postcode-checkout-postcode-validation/assets/js/pcav_international.js?ver=

HTML / DOM Fingerprints

CSS Classes
pcav_checkout_fieldspcav_label_wrapperpcav_input_wrapper
Data Attributes
data-pcav-autocomplete-urldata-pcav-details-urldata-pcav-enabled-checkoutdata-pcav-providerdata-pcav-hide-fieldsdata-pcav-empty-fields+6 more
JS Globals
pcav_config
REST Endpoints
/wp-json/pcav/v1/validate
FAQ

Frequently Asked Questions about Postcode Checkout – Postcode Validation