Does Ship Per Product have any unpatched vulnerabilities?

Yes — Ship Per Product currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Ship Per Product compatible with WordPress 6.0.0?

According to WordPress.org data, Ship Per Product 2.1.0 has been tested up to WordPress 6.0.0. Check the plugin's changelog for the latest compatibility information.

How often is Ship Per Product updated?

Ship Per Product was last updated on Jul 23, 2022. Frequent updates are generally a positive security signal.

What is Ship Per Product's security score?

Ship Per Product has a WP-Safety security score of 64/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Ship Per Product Security & Risk Analysis

wordpress.org/plugins/ship-per-product

Allows you to set shipping cost to each products based on customers location.

100 active installs v2.1.0 PHP + WP 3.4+ Updated Jul 23, 2022

per-product-shippingshipship-per-productshippingwoocommerce-shipping

C · Use Caution

CVEs total1

Unpatched1

Last CVEApr 1, 2025

Plugin page Download

Safety Verdict

Is Ship Per Product Safe to Use in 2026?

Use With Caution

Score 64/100

Ship Per Product has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Apr 1, 2025Updated 3yr ago

Risk Assessment

The 'ship-per-product' plugin v2.1.0 exhibits significant security concerns, primarily due to a large attack surface with a high proportion of unprotected AJAX handlers and a notable lack of proper output escaping. While the plugin doesn't appear to use dangerous functions or make external HTTP requests, the 7 unprotected AJAX endpoints represent a substantial risk, potentially allowing unauthenticated users to trigger arbitrary actions. The low percentage of prepared SQL statements (5%) also raises flags for potential SQL injection vulnerabilities, despite the absence of identified critical or high severity taint flows. The vulnerability history, showing one medium severity CVE that is currently unpatched, further reinforces the need for caution. This unpatched vulnerability, coupled with the weak authorization checks on AJAX handlers, indicates a pattern of neglect in fundamental security practices. Overall, while the absence of dangerous functions and external requests are positive, the combination of a broad unprotected attack surface, insecure coding practices regarding SQL and output escaping, and an unpatched historical vulnerability paints a concerning security picture for this plugin.

Key Concerns

Unprotected AJAX handlers
Low percentage of prepared SQL statements
Low percentage of properly escaped output
Unpatched medium severity CVE
Missing nonce checks on AJAX
Only one capability check found
High severity taint flow

Vulnerabilities

Ship Per Product Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-31773medium · 5.3Missing Authorization

Ship Per Product <= 2.1.0 - Missing Authorization

Apr 1, 2025Unpatched

Code Analysis

Analyzed Mar 16, 2026

Ship Per Product Code Analysis

Dangerous Functions

Raw SQL Queries

3 prepared

Unescaped Output

11 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

DataTables

SQL Query Safety

5% prepared64 total queries

Output Escaping

18% escaped62 total outputs

Data Flows

6 unsanitized

Data Flow Analysis

8 flows6 with unsanitized paths

ced_pbs_datable_process_edit (includes\class-ship-per-product.php:84)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

7 unprotected

Ship Per Product Attack Surface

Entry Points9

Unprotected7

AJAX Handlers 9

noprivwp_ajax_extractcsv_fileincludes\class-ship-per-product.php:39

authwp_ajax_extractcsv_fileincludes\class-ship-per-product.php:40

noprivwp_ajax_ced_pbs_delete_rowsincludes\class-ship-per-product.php:41

authwp_ajax_ced_pbs_delete_rowsincludes\class-ship-per-product.php:42

noprivwp_ajax_ced_pbs_showing_codesincludes\class-ship-per-product.php:44

authwp_ajax_ced_pbs_showing_codesincludes\class-ship-per-product.php:45

authwp_ajax_ced_pbs_datable_process_editincludes\class-ship-per-product.php:48

noprivwp_ajax_ced_pbs_datable_process_editincludes\class-ship-per-product.php:49

authwp_ajax_ced_spp_send_mailincludes\class-ship-per-product.php:53

WordPress Hooks 13

actionwoocommerce_cart_calculate_feesincludes\class-ship-per-product.php:30

filterwoocommerce_shipping_methodsincludes\class-ship-per-product.php:31

actionwoocommerce_shipping_initincludes\class-ship-per-product.php:32

actionwoocommerce_product_options_shippingincludes\class-ship-per-product.php:35

actionwoocommerce_process_product_metaincludes\class-ship-per-product.php:37

actionadmin_enqueue_scriptsincludes\class-ship-per-product.php:38

actionadmin_initincludes\class-ship-per-product.php:50

actionplugins_loadedincludes\class-ship-per-product.php:51

actioninitincludes\class-ship-per-product.php:52

filterwoocommerce_package_ratesincludes\ship-per-product-options.php:915

filterplugin_action_linksship-per-product.php:72

actionadmin_initship-per-product.php:118

actionadmin_noticesship-per-product.php:130

Maintenance & Trust

Ship Per Product Maintenance & Trust

Maintenance Signals

WordPress version tested6.0.0

Last updatedJul 23, 2022

PHP min version

Downloads17K

Community Trust

Rating60/100

Number of ratings2

Active installs100

Alternatives

Ship Per Product Alternatives

Weight Based Shipping Table Rate for WooCommerce – Flexible Shipping

flexible-shipping

Weight based shipping methods for WooCommerce. Flexible shipping with table rate rules by cart weight and order value. Accurate rates at checkout.

100K 2 CVEs

Weight Based Shipping for WooCommerce

weight-based-shipping-for-woocommerce

100

Weight Based Shipping is a flexible and widely-used solution to calculate shipping costs based on the total cart weight and value.

60K 1 CVE

Advanced Free Shipping for WooCommerce

woocommerce-advanced-free-shipping

100

Advanced Free Shipping for WooCommerce is an plugin which allows you to set up advanced free shipping conditions.

40K No CVEs

Conditional Shipping for WooCommerce

conditional-shipping-for-woocommerce

Restrict WooCommerce shipping methods based on conditions. Works with your existing shipping methods and zones.

10K 2 CVEs

Shiprocket

shiprocket

Auto Sync your Woocommerce store orders & ship them at lowest shipping rates. Automate your shipping, save time & money.

10K 1 unpatched

Developer Profile

Ship Per Product Developer Profile

cedcommerce

21 plugins · 5K total installs

trust score

Avg Security Score

83/100

Avg Patch Time

204 days

View full developer profile

Detection Fingerprints

How We Detect Ship Per Product

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/ship-per-product/includes/css/custom.css/wp-content/plugins/ship-per-product/includes/css/style.css/wp-content/plugins/ship-per-product/includes/js/ced-spp-common.js/wp-content/plugins/ship-per-product/includes/js/ced-spp-product-data.js/wp-content/plugins/ship-per-product/includes/js/ced_spp_admin.js

HTML / DOM Fingerprints

CSS Classes

ced_spp_hidden_inputced_spp_add_row_buttonced_spp_edit_row_buttonced_spp_delete_row_buttonced_spp_edit_country_codeced_spp_edit_state_codeced_spp_edit_cityced_spp_edit_zip_code+4 more

HTML Comments

+13 more

Data Attributes

data-product_iddata-country_codedata-state_codedata-citydata-zip_codedata-line_cost+3 more

JS Globals

ced_spp_common_objced_spp_product_dataced_spp_admin_objced_pbs_datatable_process_edit

REST Endpoints

/wp-json/ced_spp/v1/get_shipping_data

FAQ