Does SHIPPOP have any unpatched vulnerabilities?

No. All known vulnerabilities in SHIPPOP have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is SHIPPOP compatible with WordPress 5.9.13?

According to WordPress.org data, SHIPPOP 4.5 has been tested up to WordPress 5.9.13. Check the plugin's changelog for the latest compatibility information.

Is SHIPPOP compatible with PHP 5.5+?

SHIPPOP requires PHP 5.5 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is SHIPPOP updated?

SHIPPOP was last updated on Nov 9, 2022. Frequent updates are generally a positive security signal.

What is SHIPPOP's security score?

SHIPPOP has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

SHIPPOP Security & Risk Analysis

wordpress.org/plugins/shippop-ecommerce

Plugin SHIPPOP is plugin for Woocommerce and this is official plugin from SHIPPOP, Plugin that allows you to easily manage your shipments through the …

50 active installs v4.5 PHP 5.5+ WP 4.8+ Updated Nov 9, 2022

e-commerceecommercesalessellshop

A · Safe

CVEs total0

Unpatched0

Last CVENever

Download

Safety Verdict

Is SHIPPOP Safe to Use in 2026?

Generally Safe

Score 85/100

SHIPPOP has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 3yr ago

Risk Assessment

The shippop-ecommerce plugin version 4.5 exhibits a generally good security posture, with a notable absence of known CVEs and a robust setup of security checks for its entry points. The static analysis reveals a strong reliance on nonces and a significant percentage of SQL queries utilizing prepared statements, which are positive indicators. The plugin also demonstrates good practices in output escaping, with over 70% of outputs properly handled.

However, the analysis does highlight some areas of concern. A substantial number of flows with unsanitized paths were detected, indicating a potential risk for cross-site scripting (XSS) or other path-based vulnerabilities, even though no critical or high-severity taint flows were identified. The plugin also lacks capability checks on its AJAX handlers, meaning that any authenticated user could potentially trigger these actions. While the absence of direct SQL injection risks from raw SQL is good, the presence of file operations without clear sanitization of paths in the taint analysis warrants attention.

Given the clean vulnerability history and the proactive implementation of nonces and prepared statements, the plugin appears to have a foundational level of security. The primary weaknesses lie in the potential for path traversal or XSS through unsanitized paths and the lack of capability checks on AJAX handlers. Addressing these specific areas would further strengthen the plugin's overall security.

Key Concerns

Flows with unsanitized paths detected
AJAX handlers lack capability checks

Vulnerabilities

None known

SHIPPOP Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

SHIPPOP Code Analysis

Dangerous Functions

Raw SQL Queries

2 prepared

Unescaped Output

127

305 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

67% prepared3 total queries

Output Escaping

71% escaped432 total outputs

Data Flows

7 unsanitized

Data Flow Analysis

9 flows7 with unsanitized paths

shippop_ecommerce_choose_courier (includes\ajax-api\ajax-api-choose-courier.php:18)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

SHIPPOP Attack Surface

Entry Points11

Unprotected0

AJAX Handlers 10

authwp_ajax_shippop_address_correctorincludes\ajax-api\ajax-api-address-corrector.php:10

authwp_ajax_shippop_ecommerce_choose_courierincludes\ajax-api\ajax-api-choose-courier.php:13

authwp_ajax_shippop_ecommerce_booking_courierincludes\ajax-api\ajax-api-choose-courier.php:14

authwp_ajax_shippop_ecommerce_tracking_purchaseincludes\ajax-api\ajax-api-choose-courier.php:15

authwp_ajax_parcel_shipping_trackingincludes\ajax-api\ajax-api-parcel-shipping.php:12

authwp_ajax_parcel_shipping_tracking_multipleincludes\ajax-api\ajax-api-parcel-shipping.php:13

authwp_ajax_parcel_shipping_count_data_statusincludes\ajax-api\ajax-api-parcel-shipping.php:14

authwp_ajax_parcel_shipping_purchase_cancelincludes\ajax-api\ajax-api-parcel-shipping.php:15

authwp_ajax_parcel_shipping_print_labelincludes\ajax-api\ajax-api-parcel-shipping.php:16

authwp_ajax_specm_shippop_registerincludes\shippop_login.php:20

REST API Routes 1

GET/wp-json/shippop/v1/update-statusweb-hooks-api.php:12

WordPress Hooks 35

actionadmin_enqueue_scriptsincludes\choose_courier.php:11

actionload-toplevel_page_shippop-ecommerceincludes\class_overview.php:7

actionload-shippop_page_shippop-ecommerce-parcelincludes\class_overview.php:8

actionload-shippop_page_shippop-ecommerce-report-codincludes\class_overview.php:9

filterset-screen-optionincludes\class_overview.php:11

filterset_screen_option_specm_spect_per_pageincludes\class_overview.php:12

actionadmin_enqueue_scriptsincludes\parcel_shipping.php:10

actionadmin_enqueue_scriptsincludes\report_cod.php:11

actionadmin_menuincludes\shippop_login.php:17

actionadmin_enqueue_scriptsincludes\shippop_login.php:19

actionadmin_enqueue_scriptsincludes\shippop_setting.php:18

actionadmin_initincludes\shippop_setting.php:23

actionadmin_menuincludes\shippop_setting.php:29

actionadmin_noticesincludes\shippop_setting.php:30

actionadmin_noticesincludes\shippop_setting.php:31

actionadmin_noticesincludes\shippop_setting.php:34

actionadmin_noticesincludes\shippop_setting.php:36

actionadmin_noticesincludes\shippop_setting.php:41

actionadmin_noticesincludes\shippop_setting.php:52

actioninitshippop-ecommerce.php:202

actionadmin_enqueue_scriptsshippop-ecommerce.php:211

actionadmin_menushippop-ecommerce.php:213

actionadmin_footershippop-ecommerce.php:215

actionwp_enqueue_scriptsshippop-ecommerce.php:247

actionwoocommerce_new_ordershippop-ecommerce.php:249

actionwoocommerce_checkout_update_order_metashippop-ecommerce.php:250

action__experimental_woocommerce_blocks_checkout_update_order_metashippop-ecommerce.php:251

filterwoocommerce_my_account_my_orders_actionsshippop-ecommerce.php:253

filterwoocommerce_get_order_item_totalsshippop-ecommerce.php:254

actionadmin_menushippop-ecommerce.php:275

actionadmin_menushippop-ecommerce.php:276

actionadd_meta_boxes_shop_ordershippop-ecommerce.php:278

actionsave_post_shop_ordershippop-ecommerce.php:279

actionadmin_noticesshippop-ecommerce.php:666

actionrest_api_initweb-hooks-api.php:9

Maintenance & Trust

SHIPPOP Maintenance & Trust

Maintenance Signals

WordPress version tested5.9.13

Last updatedNov 9, 2022

PHP min version5.5

Downloads3K

Community Trust

Rating0/100

Number of ratings0

Active installs50

Alternatives

SHIPPOP Alternatives

TriPay Payment Gateway

tripay-payment-gateway

100

TriPay Payment adalah payment gateway indonesia yang menyediakan beragam metode pembayaran seperti virtual account, convenience store, e-wallet, dll

1K 1 CVE

Ovic Pinmap

ovic-pinmap

Need support? [Contact Us](https://kutethemes.com/contact-us/ "Contact Us")

200 No CVEs

ShipperHQ: Shipping & Checkout Experience Solution

woo-shipperhq

100

Control the shipping rates and options you show in your WooCommerce cart. Live rates from 30+ carriers, LTL Freight and custom rates.

200 No CVEs

Sell Downloads

sell-downloads

Sell Downloads is an WordPress eCommerce for selling downloadable files: audio, video, documents, pictures all that may be published in Internet.

100 3 CVEs

OPay Payment for WooCommerce

woo-opay-payment

歐付寶金流外掛套件，提供合作特店以及個人會員使用開放原始碼商店系統時，無須自行處理複雜的檢核，直接透過安裝設定外掛套件，便可以較快速的方式介接的金流系統。

30 No CVEs

Developer Profile

SHIPPOP Developer Profile

SHIPPOP

1 plugin · 50 total installs

trust score

Avg Security Score

85/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect SHIPPOP

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/shippop-ecommerce/assets/css/shippop-ecommerce.css/wp-content/plugins/shippop-ecommerce/assets/css/settings.css/wp-content/plugins/shippop-ecommerce/assets/css/shippop-woo.css/wp-content/plugins/shippop-ecommerce/assets/js/shippop-ecommerce.js/wp-content/plugins/shippop-ecommerce/assets/js/settings.js/wp-content/plugins/shippop-ecommerce/assets/js/shippop-woo.js

Version Parameters

shippop-ecommerce/assets/css/shippop-ecommerce.css?ver=shippop-ecommerce/assets/css/settings.css?ver=shippop-ecommerce/assets/css/shippop-woo.css?ver=shippop-ecommerce/assets/js/shippop-ecommerce.js?ver=shippop-ecommerce/assets/js/settings.js?ver=shippop-ecommerce/assets/js/shippop-woo.js?ver=

HTML / DOM Fingerprints

CSS Classes

shippop-ecommerce-settings

Data Attributes

data-shippop-ecommerce-settings

JS Globals

shippop_ecommerce_settings

REST Endpoints

/wp-json/shippop/v1/update-status

FAQ