WP-Safety

Orders Tracking for WooCommerce Security & Risk Analysis

wordpress.org/plugins/woo-orders-tracking

Easily import/manage your tracking numbers, add tracking numbers to PayPal and send email notifications to customers.

10K active installs v1.2.17 PHP 7.0+ WP 5.0.0+ Updated Jan 20, 2026
advanced-shipment-tracking-for-woocommerceorders-tracking-for-woocommercewoocommerce-order-tracking-pluginwoocommerce-shipment-trackingwoocommerce-tracking-number
98
A · Safe
CVEs total3
Unpatched0
Last CVEMay 9, 2024
Plugin page Download
Safety Verdict

Is Orders Tracking for WooCommerce Safe to Use in 2026?

Generally Safe

Score 98/100

Orders Tracking for WooCommerce has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: May 9, 2024Updated 2mo ago
Risk Assessment

The "woo-orders-tracking" plugin v1.2.17 presents a mixed security posture. On the positive side, static analysis reveals strong adherence to secure coding practices with a very high percentage of prepared SQL statements and properly escaped output. Nonce and capability checks are also present across a good portion of the entry points, and importantly, there are no identified unprotected AJAX handlers or REST API routes. Taint analysis shows no critical or high severity vulnerabilities, indicating that the flow of user-controlled data is generally handled safely within the analyzed code paths.

However, the plugin's vulnerability history is a significant concern. With a total of three known CVEs, including two medium and one low severity, it suggests a pattern of past security weaknesses. The types of past vulnerabilities (Code Injection, Path Traversal, XSS) are common and can lead to serious compromises if they were to re-emerge or if the current version still harbors similar flaws. The fact that the last vulnerability was very recent (May 2024) further underscores this concern, even though no CVEs are currently listed as unpatched.

In conclusion, while the current version demonstrates good implementation of several security best practices, the historical record of vulnerabilities cannot be ignored. The plugin has a history of serious flaw types, and the recent discovery of a vulnerability suggests ongoing security challenges. Users should remain vigilant and ensure they are always on the latest version, as the plugin's past indicates a tendency to develop exploitable weaknesses.

Key Concerns

  • Multiple past vulnerabilities (CVEs)
  • Recent vulnerability discovered
  • History of Code Injection, Path Traversal, XSS
Vulnerabilities
3

Orders Tracking for WooCommerce Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
1 CVE in 2023
2023
1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

Medium
2
Low
1

3 total CVEs

CVE-2024-4039medium · 6.5Improper Control of Generation of Code ('Code Injection')

Orders Tracking for WooCommerce <= 1.2.10 - Unauthenticated Arbitrary Shortcode Execution

May 9, 2024 Patched in 1.2.11 (1d)
CVE-2023-4216low · 2.7Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Orders Tracking for WooCommerce <= 1.2.5 - Authenticated (Administrator+) Directory Traversal via 'file_url'

Aug 14, 2023 Patched in 1.2.6 (162d)
CVE-2021-25062medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Orders Tracking for WooCommerce <= 1.0.14 - Reflected Cross-Site Scripting

Dec 27, 2021 Patched in 1.1.10 (757d)
Code Analysis
Analyzed Mar 16, 2026

Orders Tracking for WooCommerce Code Analysis

Dangerous Functions
0
Raw SQL Queries
2
59 prepared
Unescaped Output
26
1757 escaped
Nonce Checks
24
Capability Checks
10
File Operations
8
External Requests
7
Bundled Libraries
1

Bundled Libraries

Select2

SQL Query Safety

97% prepared61 total queries

Output Escaping

99% escaped1783 total outputs
Data Flows
All sanitized

Data Flow Analysis

12 flows
orders_tracking_export_orders_tracking (includes\admin\export-orders-tracking.php:778)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Orders Tracking for WooCommerce Attack Surface

Entry Points19
Unprotected0

AJAX Handlers 15

authwp_ajax_vi_wot_customize_params_date_time_formatincludes\admin\design.php:17
authwp_ajax_vi_wot_export_previewincludes\admin\export-orders-tracking.php:24
authwp_ajax_vi_wot_save_filter_settingsincludes\admin\export-orders-tracking.php:25
authwp_ajax_woo_orders_tracking_importincludes\admin\import_csv.php:38
authwp_ajax_vi_wot_view_logincludes\admin\import_csv.php:45
authwp_ajax_wotv_save_track_info_itemincludes\admin\orders-edit-tracking.php:24
authwp_ajax_wotv_save_track_info_all_itemincludes\admin\orders-edit-tracking.php:25
authwp_ajax_vi_woo_orders_tracking_add_tracking_to_paypalincludes\admin\orders-edit-tracking.php:26
authwp_ajax_vi_wot_refresh_track_infoincludes\admin\orders-track-info.php:20
authwp_ajax_wotv_admin_add_new_shipping_carrierincludes\admin\settings.php:16
authwp_ajax_wotv_admin_edit_shipping_carrierincludes\admin\settings.php:20
authwp_ajax_wotv_admin_delete_shipping_carrierincludes\admin\settings.php:21
authwp_ajax_wot_preview_emailsincludes\admin\settings.php:26
authwp_ajax_wot_test_connection_paypalincludes\admin\settings.php:27
authwp_ajax_woo_orders_tracking_search_pageincludes\admin\settings.php:28

Shortcodes 4

[woocommerce_orders_tracking_info_woo_email] includes\admin\woo-order-email.php:74
[vi_wot_form_track_order] includes\frontend\frontend.php:381
[vi_wot_track_order_timeline] includes\frontend\frontend.php:382
[vi_wot_tracking_more_form] includes\frontend\tracking-more-form.php:13
WordPress Hooks 73
actioninitincludes\admin\admin.php:11
actionadmin_enqueue_scriptsincludes\admin\admin.php:12
filterplugin_action_links_woo-orders-tracking/woo-orders-tracking.phpincludes\admin\admin.php:13
actionadmin_enqueue_scriptsincludes\admin\class-villatheme-admin-show-message.php:10
actionadmin_enqueue_scriptsincludes\admin\cron-update-tracking.php:15
actionadmin_menuincludes\admin\cron-update-tracking.php:16
actioncustomize_registerincludes\admin\design.php:13
actionwp_enqueue_scriptsincludes\admin\design.php:14
actioncustomize_preview_initincludes\admin\design.php:15
actioncustomize_controls_enqueue_scriptsincludes\admin\design.php:16
actionadmin_menuincludes\admin\export-orders-tracking.php:22
actionadmin_enqueue_scriptsincludes\admin\export-orders-tracking.php:23
actionadmin_initincludes\admin\export-orders-tracking.php:26
actionadmin_menuincludes\admin\import_csv.php:35
actionadmin_enqueue_scriptsincludes\admin\import_csv.php:36
actionadmin_initincludes\admin\import_csv.php:37
actionvi_wot_importer_scheduled_cleanupincludes\admin\import_csv.php:39
actionvi_wot_send_mail_tracking_codeincludes\admin\import_csv.php:43
actionvi_wot_send_mails_for_import_csv_functionincludes\admin\import_csv.php:44
filterwoocommerce_email_stylesincludes\admin\import_csv.php:2256
actionadmin_enqueue_scriptsincludes\admin\orders-edit-tracking.php:21
filterwoocommerce_hidden_order_itemmetaincludes\admin\orders-edit-tracking.php:22
actionwoocommerce_after_order_itemmetaincludes\admin\orders-edit-tracking.php:23
actionadd_meta_boxesincludes\admin\orders-edit-tracking.php:27
actionadmin_footerincludes\admin\orders-edit-tracking.php:56
actionadmin_enqueue_scriptsincludes\admin\orders-track-info.php:15
filtermanage_edit-shop_order_columnsincludes\admin\orders-track-info.php:16
filtermanage_woocommerce_page_wc-orders_columnsincludes\admin\orders-track-info.php:17
actionmanage_shop_order_posts_custom_columnincludes\admin\orders-track-info.php:18
actionmanage_woocommerce_page_wc-orders_custom_columnincludes\admin\orders-track-info.php:19
actionrestrict_manage_postsincludes\admin\orders-track-info.php:21
actionwoocommerce_order_list_table_restrict_manage_ordersincludes\admin\orders-track-info.php:22
actionwoocommerce_orders_table_query_clausesincludes\admin\orders-track-info.php:23
filterposts_whereincludes\admin\orders-track-info.php:24
filtervi_woo_alidropship_order_item_tracking_dataincludes\admin\orders-track-info.php:26
filterposts_joinincludes\admin\orders-track-info.php:511
filterposts_distinctincludes\admin\orders-track-info.php:512
actionadmin_menuincludes\admin\settings.php:13
actionadmin_initincludes\admin\settings.php:14
actionadmin_enqueue_scriptsincludes\admin\settings.php:15
actionmedia_buttonsincludes\admin\settings.php:25
actionadmin_footerincludes\admin\settings.php:1918
actionadmin_menuincludes\admin\webhooks.php:12
actionadmin_enqueue_scriptsincludes\admin\webhooks.php:13
actioninitincludes\admin\woo-order-email.php:12
actionwoocommerce_email_before_order_tableincludes\admin\woo-order-email.php:20
actionwoocommerce_email_after_order_tableincludes\admin\woo-order-email.php:30
actionwp_enqueue_scriptsincludes\frontend\frontend.php:14
actionwidgets_initincludes\frontend\frontend.php:15
actioninitincludes\frontend\frontend.php:16
filtercontent_paginationincludes\frontend\frontend.php:17
actionwp_enqueue_scriptsincludes\frontend\order-details.php:12
filterwoocommerce_account_orders_columnsincludes\frontend\order-details.php:13
actionwoocommerce_my_account_my_orders_column_woo-orders-trackingincludes\frontend\order-details.php:14
actionwoocommerce_order_item_meta_endincludes\frontend\order-details.php:53
actioninitincludes\frontend\tracking-more-form.php:9
filterwoocommerce_orders_tracking_email_woo_statusesincludes\plugins\woocommerce_order_status_manager.php:11
filterwoocommerce_orders_tracking_email_woo_statusesincludes\plugins\woocommerce_status_actions.php:11
actionadmin_enqueue_scriptsincludes\support.php:33
actionadmin_noticesincludes\support.php:34
actionadmin_initincludes\support.php:35
actionadmin_menuincludes\support.php:36
filterplugin_row_metaincludes\support.php:38
actionadmin_initincludes\support.php:40
actionadmin_bar_menuincludes\support.php:42
actionadmin_noticesincludes\support.php:55
actionwp_dashboard_setupincludes\support.php:57
actionadmin_footerincludes\support.php:697
actionadmin_bar_menuincludes\support.php:831
actionadmin_noticesincludes\support.php:978
actionbefore_woocommerce_initwoo-orders-tracking.php:48
actionplugins_loadedwoo-orders-tracking.php:52
actionactivated_pluginwoo-orders-tracking.php:53

Scheduled Events 4

vi_wot_importer_scheduled_cleanup
vi_wot_send_mails_for_import_csv_function
vi_wot_send_mails_for_import_csv_function
vi_wot_send_mail_tracking_code
Maintenance & Trust

Orders Tracking for WooCommerce Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 20, 2026
PHP min version7.0
Downloads387K

Community Trust

Rating90/100
Number of ratings58
Active installs10K
Alternatives

Orders Tracking for WooCommerce Alternatives

ParcelWILL (Formerly ParcelPanel) – Shipment Tracking, Tracking & Order Tracking for WooCommerce

ParcelWILL (Formerly ParcelPanel) – Shipment Tracking, Tracking & Order Tracking for WooCommerce

parcelpanel

A
96

Free Plan Available. Order Tracking, Shipment Tracking. The best WooCommerce Order Tracker for Track Order Status & Delivery Notifications

8K 2 CVEs
TrackShip for WooCommerce

TrackShip for WooCommerce

trackship-for-woocommerce

A
98

TrackShip auto-tracks orders, adds a branded tracking experience to your store and handles all customer touchpoints from shipping to delivery

7K 2 CVEs
Developer Profile

Orders Tracking for WooCommerce Developer Profile

VillaTheme

58 plugins · 167K total installs

78
trust score
Avg Security Score
99/100
Avg Patch Time
217 days
View full developer profile
Detection Fingerprints

How We Detect Orders Tracking for WooCommerce

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/woo-orders-tracking/assets/css/style.css/wp-content/plugins/woo-orders-tracking/assets/js/backend.js/wp-content/plugins/woo-orders-tracking/assets/js/frontend.js/wp-content/plugins/woo-orders-tracking/assets/js/tooltips.js/wp-content/plugins/woo-orders-tracking/assets/css/tooltips.css/wp-content/plugins/woo-orders-tracking/assets/css/customers.css/wp-content/plugins/woo-orders-tracking/assets/css/customizer.css/wp-content/plugins/woo-orders-tracking/assets/css/frontend.css+10 more
Script Paths
/wp-content/plugins/woo-orders-tracking/assets/js/backend.js/wp-content/plugins/woo-orders-tracking/assets/js/frontend.js/wp-content/plugins/woo-orders-tracking/assets/js/tooltips.js/wp-content/plugins/woo-orders-tracking/assets/js/admin.js/wp-content/plugins/woo-orders-tracking/assets/js/customers.js/wp-content/plugins/woo-orders-tracking/assets/js/frontend-script.js+2 more
Version Parameters
woo-orders-tracking/assets/css/style.css?ver=woo-orders-tracking/assets/js/backend.js?ver=woo-orders-tracking/assets/js/frontend.js?ver=woo-orders-tracking/assets/js/tooltips.js?ver=woo-orders-tracking/assets/css/tooltips.css?ver=woo-orders-tracking/assets/css/customers.css?ver=woo-orders-tracking/assets/css/customizer.css?ver=woo-orders-tracking/assets/css/frontend.css?ver=woo-orders-tracking/assets/css/frontend-style.css?ver=woo-orders-tracking/assets/css/orders.css?ver=woo-orders-tracking/assets/css/orders-style.css?ver=woo-orders-tracking/assets/css/admin.css?ver=woo-orders-tracking/assets/js/admin.js?ver=woo-orders-tracking/assets/js/customers.js?ver=woo-orders-tracking/assets/js/frontend-script.js?ver=woo-orders-tracking/assets/js/admin-orders.js?ver=woo-orders-tracking/includes/admin/assets/css/show-message.css?ver=woo-orders-tracking/includes/admin/assets/js/show-message.js?ver=

HTML / DOM Fingerprints

CSS Classes
vi-wot-orders-tracking-customize-section
HTML Comments
<!-- begin shortcode: vi_orders_tracking_info --><!-- end shortcode: vi_orders_tracking_info --><!-- Shortcode vi_orders_tracking_info --><!-- customizer_preview_script -->
Data Attributes
data-vi-wot-order-iddata-vi-wot-tracking-iddata-vi-wot-noncedata-vi-wot-tracking-page-id
JS Globals
VIWOT_POST_MESSAGESVIWOT_DATA_PARAMSVI_WOO_ORDERS_TRACKING_DATA_PARAMSVI_WOO_ORDERS_TRACKING_VERSIONVI_WOO_ORDERS_TRACKING_AJAX_URLVI_WOO_ORDERS_TRACKING_ADMIN_AJAX_URL+4 more
Shortcode Output
[vi_orders_tracking_info][vi_orders_tracking_form]
FAQ

Frequently Asked Questions about Orders Tracking for WooCommerce