Does Sendcloud Shipping have any unpatched vulnerabilities?

No. All known vulnerabilities in Sendcloud Shipping have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Sendcloud Shipping compatible with WordPress 6.9.4?

According to WordPress.org data, Sendcloud Shipping 1.0.24 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Sendcloud Shipping compatible with PHP 7.0+?

Sendcloud Shipping requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Sendcloud Shipping updated?

Sendcloud Shipping was last updated on Feb 19, 2026. Frequent updates are generally a positive security signal.

What is Sendcloud Shipping's security score?

Sendcloud Shipping has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Sendcloud Shipping Security & Risk Analysis

wordpress.org/plugins/sendcloud-connected-shipping

SendCloud helps to grow your online store by optimizing the shipping process. Shipping packages has never been that easy!

4K active installs v1.0.24 PHP 7.0+ WP 4.9+ Updated Feb 19, 2026

order-trackingservice-pointsshippingshipping-rateswoocommerce

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Sendcloud Shipping Safe to Use in 2026?

Generally Safe

Score 100/100

Sendcloud Shipping has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1mo ago

Risk Assessment

The sendcloud-connected-shipping v1.0.24 plugin exhibits a concerning security posture primarily due to its unprotected AJAX endpoints and the presence of a dangerous function. While the plugin demonstrates good practices in its use of prepared statements for SQL queries and a decent rate of output escaping, the unprotected attack surface is a significant risk. All six identified AJAX handlers lack authentication checks, meaning any user, regardless of their role or permissions, could potentially trigger these functions. Furthermore, the use of the `unserialize` function, especially in conjunction with potentially user-controlled input that could reach these AJAX endpoints, opens the door to remote code execution or denial-of-service vulnerabilities if not handled with extreme caution and validation. The taint analysis revealing two flows with unsanitized paths, even without critical or high severity designations, suggests potential weaknesses in how data is handled, which could be exacerbated by the unprotected entry points. The plugin's history of zero known CVEs is positive, indicating a potentially well-maintained codebase in the past, but this does not mitigate the immediate risks identified in the current static analysis. The overall security is weakened by the exposed AJAX handlers and the dangerous function, outweighing the positive aspects of its SQL and output escaping practices.

Key Concerns

6 unprotected AJAX handlers
Dangerous function unserialize used
2 unsanitized taint flows
0 capability checks on AJAX

Vulnerabilities

None known

Sendcloud Shipping Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

Sendcloud Shipping Code Analysis

Dangerous Functions

Raw SQL Queries

20 prepared

Unescaped Output

104 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$configurations[ $settings['option_name'] ] = unserialize( $settings['option_value'] );includes\Repositories\class-shipping-method-options-repository.php:33

SQL Query Safety

91% prepared22 total queries

Output Escaping

77% escaped135 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

perform_basic_authentication (includes\Controllers\Api\class-authorization.php:58)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

6 unprotected

Sendcloud Shipping Attack Surface

Entry Points6

Unprotected6

AJAX Handlers 6

authwp_ajax_get_redirect_sc_v2_urlincludes\HookHandlers\class-api-handler.php:55

authwp_ajax_sc_check_statusincludes\HookHandlers\class-api-handler.php:59

authwp_ajax_sc_support_getincludes\HookHandlers\class-api-handler.php:63

authwp_ajax_sc_support_saveincludes\HookHandlers\class-api-handler.php:67

authwp_ajax_migrate_service_pointsincludes\HookHandlers\class-api-handler.php:71

authwp_ajax_sc_check_migrationincludes\HookHandlers\class-api-handler.php:75

WordPress Hooks 28

actionplugins_loadeddatabase\Migrations\migration.v.1.0.1.php:15

actionplugins_loadeddatabase\Migrations\migration.v.1.0.11.php:15

actionadmin_menuincludes\class-sendcloud.php:178

actioninitincludes\class-sendcloud.php:180

actionplugins_loadedincludes\class-sendcloud.php:181

actionactivated_pluginincludes\class-sendcloud.php:182

actionbefore_woocommerce_initincludes\class-sendcloud.php:183

actionadmin_noticesincludes\class-sendcloud.php:201

filterwoocommerce_shipping_methodsincludes\class-sendcloud.php:317

actionrest_api_initincludes\HookHandlers\class-api-handler.php:25

actionwoocommerce_process_product_metaincludes\HookHandlers\class-product-handler.php:39

actionwoocommerce_product_options_inventory_product_dataincludes\HookHandlers\class-product-handler.php:41

actionwoocommerce_product_options_shipping_product_dataincludes\HookHandlers\class-product-handler.php:43

actionwoocommerce_update_productincludes\HookHandlers\class-product-handler.php:47

actionwoocommerce_blocks_enqueue_checkout_block_scripts_afterincludes\ServicePoint\Checkout\class-checkout-block-handler.php:19

actionwoocommerce_blocks_enqueue_checkout_block_scripts_afterincludes\ServicePoint\Checkout\class-checkout-block-handler.php:24

actionwoocommerce_store_api_checkout_update_order_from_requestincludes\ServicePoint\Checkout\class-checkout-block-handler.php:30

actionwoocommerce_store_api_cart_select_shipping_rateincludes\ServicePoint\Checkout\class-checkout-block-handler.php:36

actionwoocommerce_blocks_loadedincludes\ServicePoint\Checkout\class-checkout-block-handler.php:42

actionwoocommerce_checkout_after_order_reviewincludes\ServicePoint\Checkout\class-checkout-handler.php:54

actionwfacp_checkout_after_order_reviewincludes\ServicePoint\Checkout\class-checkout-handler.php:55

actionwoocommerce_after_shipping_rateincludes\ServicePoint\Checkout\class-checkout-handler.php:56

actionwoocommerce_checkout_processincludes\ServicePoint\Checkout\class-checkout-handler.php:57

actionwoocommerce_checkout_update_order_metaincludes\ServicePoint\Checkout\class-checkout-handler.php:58

actionwoocommerce_thankyouincludes\ServicePoint\Checkout\class-checkout-handler.php:59

actionwoocommerce_view_orderincludes\ServicePoint\Checkout\class-checkout-handler.php:60

actionwoocommerce_email_after_order_tableincludes\ServicePoint\class-email-handler.php:35

actionwoocommerce_admin_order_data_after_shipping_addressincludes\ServicePoint\class-order-admin-handler.php:26

Maintenance & Trust

Sendcloud Shipping Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 19, 2026

PHP min version7.0

Downloads35K

Community Trust

Rating56/100

Number of ratings10

Active installs4K

Alternatives

Sendcloud Shipping Alternatives

Advanced Shipment Tracking for WooCommerce

woo-advanced-shipment-tracking

Add shipment tracking info to WooCommerce orders, send tracking numbers to customers via email, and let them track deliveries from My Account.

60K 2 CVEs

Printful Integration for WooCommerce

printful-shipping-for-woocommerce

Grow your store with the top print-on-demand dropshipping plugin

50K 2 CVEs

WC Hide Shipping Methods

wc-hide-shipping-methods

100

This plugin automatically hides all other shipping methods when "Free Shipping" is available, while allowing you to retain "Local Picku …

20K No CVEs

AfterShip Tracking – All-In-One WooCommerce Order Tracking (Free plan available)

aftership-woocommerce-tracking

Track orders in one place. shipment tracking, automated notifications, order lookup, branded tracking page, delivery day prediction

8K 1 CVE

Gelato Integration for WooCommerce

gelato-integration-for-woocommerce

Sell globally, print locally with 100+ production hubs in 32 countries

5K No CVEs

Developer Profile

Sendcloud Shipping Developer Profile

Sendcloud

1 plugin · 4K total installs

trust score

Avg Security Score

100/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Sendcloud Shipping

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/sendcloud-connected-shipping/resources/css/sendcloud-connection-page.css/wp-content/plugins/sendcloud-connected-shipping/resources/js/sendcloud.page.js/wp-content/plugins/sendcloud-connected-shipping/resources/js/service-point-block.js

Script Paths

https://fonts.googleapis.com/css2?family=Source+Sans+Pro:wght@400;700&display=swap

Version Parameters

sendcloud-v2-csssendcloud-v2-js-pagesendcloud-v2-service-point-jssendcloud-v2-service-point-block

HTML / DOM Fingerprints

CSS Classes

sendcloud-page

HTML Comments

Data Attributes

data-sendcloud-page

JS Globals

SENDCLOUDSHIPPING_V2_LANGUAGESENDCLOUDSHIPPING_V2_SELECT_SPP_LABELSENDCLOUDSHIPPING_V2_DIMENSIONSSENDCLOUDSHIPPING_V2_DIMENSIONS_UNIT

FAQ