WP-Safety

Ukrposhta Security & Risk Analysis

wordpress.org/plugins/woo-ukrposhta

Створюйте експрес-накладні автоматично, на сторінці замовлення. 10% знижка на відправлення, створені онлайн за допомогою API Ukrposhta.

600 active installs v1.18.1 PHP 7.4+ WP 5.0+ Updated Jul 30, 2025
%d1%83%d0%ba%d1%80%d0%bf%d0%be%d1%87%d1%82%d0%b0%d1%83%d0%ba%d1%80%d0%bf%d0%be%d1%88%d1%82%d0%b0ukrposhta
99
A · Safe
CVEs total1
Unpatched0
Last CVEJan 6, 2025
Plugin page Download
Safety Verdict

Is Ukrposhta Safe to Use in 2026?

Generally Safe

Score 99/100

Ukrposhta has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Jan 6, 2025Updated 8mo ago
Risk Assessment

The "woo-ukrposhta" v1.18.1 plugin exhibits a mixed security posture. While it demonstrates good practices with a high percentage of prepared SQL statements and properly escaped output, there are significant concerns regarding its attack surface. A notable portion of its AJAX handlers (6 out of 10) and all of its REST API routes (3 out of 3) lack proper authentication or permission checks. This creates numerous entry points that could be exploited by unauthenticated users.

The taint analysis reveals some unsanitized paths, although no critical or high-severity flows were identified. The vulnerability history shows one past medium-severity CVE related to Cross-Site Scripting, which has been patched. The presence of past vulnerabilities, even if resolved, underscores the importance of maintaining vigilance. Overall, the plugin has strengths in its code hygiene for database interactions and output rendering, but the lack of robust access control on many of its endpoints is a primary risk that needs immediate attention.

Key Concerns

  • Unprotected AJAX handlers
  • Unprotected REST API routes
  • Flows with unsanitized paths
  • Low capability check coverage
Vulnerabilities
1

Ukrposhta Security Vulnerabilities

CVEs by Year

1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2024-12049medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Woo Ukrposhta <= 1.17.11 - Reflected Cross-Site Scripting via order, post, and idd Parameters

Jan 6, 2025 Patched in 1.18.0 (8d)
Code Analysis
Analyzed Mar 16, 2026

Ukrposhta Code Analysis

Dangerous Functions
0
Raw SQL Queries
3
52 prepared
Unescaped Output
12
465 escaped
Nonce Checks
40
Capability Checks
1
File Operations
0
External Requests
26
Bundled Libraries
0

SQL Query Safety

95% prepared55 total queries

Output Escaping

97% escaped477 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

6 flows2 with unsanitized paths
<edit> (admin\partials\edit.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
9 unprotected

Ukrposhta Attack Surface

Entry Points13
Unprotected9

AJAX Handlers 10

authwp_ajax_morkva_ukrposhta_up_load_areasclasses\ukrPoshtaAjaxHandler.php:20
noprivwp_ajax_morkva_ukrposhta_up_load_areasclasses\ukrPoshtaAjaxHandler.php:21
authwp_ajax_morkva_ukrposhta_up_load_citiesclasses\ukrPoshtaAjaxHandler.php:23
noprivwp_ajax_morkva_ukrposhta_up_load_citiesclasses\ukrPoshtaAjaxHandler.php:24
authwp_ajax_morkva_ukrposhta_up_load_warehousesclasses\ukrPoshtaAjaxHandler.php:26
noprivwp_ajax_morkva_ukrposhta_up_load_warehousesclasses\ukrPoshtaAjaxHandler.php:27
authwp_ajax_city_autocompletemorkvaup-plugin.php:346
noprivwp_ajax_city_autocompletemorkvaup-plugin.php:347
authwp_ajax_morkva_ukrposhta_load_postcodesmorkvaup-plugin.php:397
noprivwp_ajax_morkva_ukrposhta_load_postcodesmorkvaup-plugin.php:398

REST API Routes 3

GET/wp-json/morkva_ukrposhta/v1ukrposhta/areaclasses\ukrPoshtaRest.php:14
GET/wp-json/morkva_ukrposhta/v1ukrposhta/cities/(?P<ref>[^\/]*)classes\ukrPoshtaRest.php:18
GET/wp-json/morkva_ukrposhta/v1ukrposhta/warehouses/(?P<ref>[^\/]*)classes\ukrPoshtaRest.php:22
WordPress Hooks 44
actionadmin_enqueue_scriptsadmin\class-morkvaup-plugin-admin.php:54
actionadmin_enqueue_stylesadmin\class-morkvaup-plugin-public.php:55
actionadmin_footeradmin\partials\invoice\view\invoice_header.php:28
actionadmin_footeradmin\partials\morkvaup-plugin-invoices-page.php:25
actionadmin_footeradmin\partials\morkvaup-plugin-settings.php:43
actionadmin_enqueue_scriptsclasses\AssetsLoader.php:13
actionadmin_enqueue_scriptsclasses\AssetsLoader.php:14
actionwp_enqueue_scriptsclasses\AssetsLoader.php:15
actionwoocommerce_checkout_processclasses\CheckoutValidator.php:14
filterwoocommerce_checkout_fieldsclasses\CheckoutValidator.php:15
filterwoocommerce_checkout_posted_dataclasses\CheckoutValidator.php:16
actionwoocommerce_checkout_before_customer_detailsclasses\CheckoutValidator.php:17
filterwoocommerce_ship_to_different_address_checkedclasses\CheckoutValidator.php:20
filterwoocommerce_ship_to_different_address_checkedclasses\CheckoutValidator.php:22
filterwoocommerce_billing_fieldsclasses\CheckoutValidator.php:24
filterwoocommerce_shipping_fieldsclasses\CheckoutValidator.php:25
filterwoocommerce_ship_to_different_address_checkedclasses\CheckoutValidator.php:160
actionadmin_initclasses\Initializer.php:21
actioninitclasses\Initializer.php:25
actionwoocommerce_checkout_create_orderclasses\OrderCreator.php:14
filterbody_classclasses\ukrPoshtaFrontendInjector.php:21
actionwp_headclasses\ukrPoshtaFrontendInjector.php:22
actionwp_enqueue_scriptsclasses\ukrPoshtaFrontendInjector.php:23
actionrest_api_initclasses\ukrPoshtaRest.php:9
actionadmin_menuincludes\class-morkvaup-plugin-loader.php:116
actionadd_meta_boxesincludes\class-morkvaup-plugin-loader.php:117
actionadmin_initincludes\class-morkvaup-plugin-loader.php:118
filtermanage_woocommerce_page_wc-orders_columnsincludes\class-morkvaup-plugin-loader.php:122
actionmanage_woocommerce_page_wc-orders_custom_columnincludes\class-morkvaup-plugin-loader.php:123
filtermanage_edit-shop_order_columnsincludes\class-morkvaup-plugin-loader.php:126
actionmanage_shop_order_posts_custom_columnincludes\class-morkvaup-plugin-loader.php:127
filterwp_mail_from_nameincludes\class-morkvaup-plugin-loader.php:130
actionplugins_loadedincludes\class-morkvaup-plugin.php:122
actionwp_enqueue_scriptsincludes\class-morkvaup-plugin.php:144
actionwp_enqueue_scriptsincludes\class-morkvaup-plugin.php:145
actionbefore_woocommerce_initmorkvaup-plugin.php:22
actioninitmorkvaup-plugin.php:28
actionquery_varsmorkvaup-plugin.php:34
actiontemplate_redirectmorkvaup-plugin.php:41
filterwoocommerce_checkout_update_order_reviewmorkvaup-plugin.php:142
filterwoocommerce_shipping_methodsmorkvaup-plugin.php:229
filterwoocommerce_shipping_methodsmorkvaup-plugin.php:239
actionwoocommerce_admin_order_data_after_shipping_addressmorkvaup-plugin.php:253
actionbefore_woocommerce_initmorkvaup-plugin.php:340
Maintenance & Trust

Ukrposhta Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedJul 30, 2025
PHP min version7.4
Downloads18K

Community Trust

Rating64/100
Number of ratings9
Active installs600
Alternatives

Ukrposhta Alternatives

WC Ukraine Shipping – Integration of Nova Poshta and Ukrposhta for WooCommerce

WC Ukraine Shipping – Integration of Nova Poshta and Ukrposhta for WooCommerce

wc-ukr-shipping

A
100

Connect Nova Poshta, Ukrposhta, Meest or international delivery services with your store. Create labels, track orders and calculate rates in one place &hellip;

7K No CVEs
Morkva UA Shipping

Morkva UA Shipping

morkva-ua-shipping

A
93

Нова Пошта по Україні та закордон, Укрпошта по Україні та закордон. Rozetka Delivery. Зручне створення ТТН. Друк ТТН. Сумісний з іншими плагінами.

800 2 CVEs
Developer Profile

Ukrposhta Developer Profile

Ihor Kit

14 plugins · 3K total installs

93
trust score
Avg Security Score
98/100
Avg Patch Time
11 days
View full developer profile
Detection Fingerprints

How We Detect Ukrposhta

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/woo-ukrposhta/dist/style.css/wp-content/plugins/woo-ukrposhta/dist/script.js/wp-content/plugins/woo-ukrposhta/admin/css/settings.css/wp-content/plugins/woo-ukrposhta/admin/js/settings.js/wp-content/plugins/woo-ukrposhta/assets/css/admin-styles.css/wp-content/plugins/woo-ukrposhta/assets/css/checkout.css/wp-content/plugins/woo-ukrposhta/assets/js/checkout.js/wp-content/plugins/woo-ukrposhta/assets/js/settings.js+1 more
Script Paths
/wp-content/plugins/woo-ukrposhta/dist/script.js/wp-content/plugins/woo-ukrposhta/admin/js/settings.js/wp-content/plugins/woo-ukrposhta/assets/js/checkout.js/wp-content/plugins/woo-ukrposhta/assets/js/settings.js/wp-content/plugins/woo-ukrposhta/assets/js/order.js
Version Parameters
woo-ukrposhta/dist/style.css?ver=woo-ukrposhta/dist/script.js?ver=woo-ukrposhta/admin/css/settings.css?ver=woo-ukrposhta/admin/js/settings.js?ver=woo-ukrposhta/assets/css/admin-styles.css?ver=woo-ukrposhta/assets/css/checkout.css?ver=woo-ukrposhta/assets/js/checkout.js?ver=woo-ukrposhta/assets/js/settings.js?ver=woo-ukrposhta/assets/js/order.js?ver=

HTML / DOM Fingerprints

CSS Classes
ukrposhta-checkout-fieldukrposhta-shipping-method
HTML Comments
<!-- ukrposhta-shipping-method --><!-- Ukrposhta Settings --><!-- Ukrposhta Order Details --><!-- Ukrposhta Shipping Options -->
Data Attributes
data-ukrposhta-shipping-methoddata-ukrposhta-api-key
JS Globals
UkrposhtaApiukrposhtaSettings
REST Endpoints
/wp-json/ukrposhta/v1/settings/wp-json/ukrposhta/v1/calculate_shipping
Shortcode Output
[ukrposhta_shipping_calculator][ukrposhta_tracking_info]
FAQ

Frequently Asked Questions about Ukrposhta