WP-Safety

WooCommerce Shipping Security & Risk Analysis

wordpress.org/plugins/woocommerce-shipping

A free shipping plugin for US merchants to print discounted shipping labels and compare live label rates directly from your WooCommerce dashboard.

60K active installs v2.2.4 PHP 7.4+ WP 6.8+ Updated Mar 10, 2026
dhllabelsshippinguspswoocommerce
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is WooCommerce Shipping Safe to Use in 2026?

Generally Safe

Score 100/100

WooCommerce Shipping has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 24d ago
Risk Assessment

The 'woocommerce-shipping' plugin v2.2.4 exhibits a generally good security posture, with strong adherence to best practices like prepared statements for SQL queries and proper output escaping. The absence of known CVEs and a clean vulnerability history further contribute to this positive assessment, suggesting a mature and well-maintained codebase.

However, there are specific areas that warrant attention. The presence of two AJAX handlers without authentication checks represents a potential attack vector. While the taint analysis did not reveal critical or high severity flows with unsanitized paths, the single flow with an unsanitized path, even if not critical, is a concern that should be investigated to ensure no vulnerabilities are present.

Overall, the plugin is well-developed from a security perspective, with a low risk profile. The strengths lie in its robust handling of SQL and output. The primary weakness is the limited exposure of unprotected entry points, specifically the two unauthenticated AJAX handlers. Addressing these specific points will further solidify the plugin's security.

Key Concerns

  • Unprotected AJAX handlers
  • Flows with unsanitized paths (even if not critical)
Vulnerabilities
None known

WooCommerce Shipping Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

WooCommerce Shipping Code Analysis

Dangerous Functions
0
Raw SQL Queries
2
32 prepared
Unescaped Output
29
268 escaped
Nonce Checks
13
Capability Checks
18
File Operations
3
External Requests
2
Bundled Libraries
0

SQL Query Safety

94% prepared34 total queries

Output Escaping

90% escaped297 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

3 flows1 with unsanitized paths
<Banners> (src\Banners\Banners.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

WooCommerce Shipping Attack Surface

Entry Points7
Unprotected2

AJAX Handlers 7

authwp_ajax_wcshipping_dismiss_noticeclasses\class-wc-connect-nux.php:369
authwp_ajax_wcshipping_dismiss_feature_bannersrc\Banners\Banners.php:45
authwp_ajax_wcshipping_track_feature_banner_clicksrc\Banners\Banners.php:46
authwp_ajax_dismiss_admin_noticesrc\Migration\MigrationNotices.php:31
authwp_ajax_wcshipping_dismiss_services_errorsrc\ServiceData\ServicesErrorNotice.php:56
authwp_ajax_wcshipping_e2e_seed_statesrc\Testing\WCConnectE2EConnectionShim.php:97
authwp_ajax_wcshipping_e2e_set_connect_server_scenariosrc\Testing\WCConnectE2EConnectionShim.php:98
WordPress Hooks 126
filterwoocommerce_debug_toolsclasses\class-wc-connect-debug-tools.php:16
filterwoocommerce_admin_status_tabsclasses\class-wc-connect-help-view.php:45
actionwoocommerce_admin_status_content_woocommerce-shippingclasses\class-wc-connect-help-view.php:46
actionadmin_enqueue_scriptsclasses\class-wc-connect-nux.php:60
actionadmin_post_register_wcshipping_jetpackclasses\class-wc-connect-nux.php:350
actionadmin_noticesclasses\class-wc-connect-nux.php:355
actionadmin_noticesclasses\class-wc-connect-nux.php:359
actionadmin_noticesclasses\class-wc-connect-nux.php:363
actionadmin_initclasses\class-wc-connect-privacy.php:24
actionadmin_noticesclasses\class-wc-connect-privacy.php:25
filterwoocommerce_privacy_export_order_personal_dataclasses\class-wc-connect-privacy.php:26
actionwoocommerce_privacy_before_remove_order_personal_dataclasses\class-wc-connect-privacy.php:27
actionwcshipping_render_wc_settings_pageclasses\class-wc-connect-settings-pages.php:61
filterwoocommerce_get_sections_shippingclasses\class-wc-connect-settings-pages.php:75
actionwoocommerce_settings_shippingclasses\class-wc-connect-settings-pages.php:76
filterwoocommerce_get_settings_shippingclasses\class-wc-connect-settings-pages.php:103
filterrest_post_dispatchclasses\legacy-api-controllers\class-wc-rest-connect-base-controller.php:109
filterwoocommerce_analytics_report_menu_itemssrc\Analytics\ShippingLabel.php:15
actionadmin_enqueue_scriptssrc\Analytics\ShippingLabel.php:16
actionadmin_initsrc\Banners\Banners.php:34
actionadmin_noticessrc\Banners\Banners.php:42
actionwp_enqueue_scriptssrc\Checkout\CheckoutController.php:72
actionwoocommerce_after_calculate_totalssrc\Checkout\CheckoutController.php:73
actionwoocommerce_checkout_update_order_metasrc\Checkout\CheckoutController.php:74
actionwoocommerce_store_api_checkout_update_order_metasrc\Checkout\CheckoutController.php:75
filterwoocommerce_shipping_packagessrc\Checkout\CheckoutController.php:76
actionwcshipping_return_label_createdsrc\Emails\WC_Admin_Return_Label_Email.php:70
actionwcshipping_return_label_createdsrc\Emails\WC_Return_Label_Email.php:74
filterwcshipping_api_client_bodysrc\FeatureFlags\FeatureFlags.php:24
filterwcshipping_features_supported_by_storesrc\FeatureFlags\FeatureFlags.php:25
actionplugins_loadedsrc\Fulfillments\FulfillmentsClassResolver.php:45
actionadmin_menusrc\Integrations\WCST.php:29
filterall_pluginssrc\Integrations\WCST.php:61
filterwoocommerce_order_get__wc_shipment_tracking_itemssrc\Integrations\WooCommerceShipmentTracking.php:27
actionbefore_woocommerce_initsrc\Loader.php:503
actionplugins_loadedsrc\Loader.php:512
actioninitsrc\Loader.php:513
actionadmin_noticessrc\Loader.php:745
actionadmin_noticessrc\Loader.php:764
actionwoocommerce_blocks_loadedsrc\Loader.php:775
actionafter_plugin_row_woocommerce-services/woocommerce-services.phpsrc\Loader.php:776
actionbefore_woocommerce_initsrc\Loader.php:777
actionwoocommerce_blocks_checkout_block_registrationsrc\Loader.php:802
actionplugin_row_metasrc\Loader.php:823
actionadmin_initsrc\Loader.php:846
actionadmin_initsrc\Loader.php:847
actionadmin_initsrc\Loader.php:848
actionadmin_initsrc\Loader.php:849
actionwcshipping_enqueue_scriptsrc\Loader.php:863
actionrest_api_initsrc\Loader.php:871
actionrest_api_initsrc\Loader.php:872
actionwoocommerce_initsrc\Loader.php:878
actionrest_api_initsrc\Loader.php:895
actionadmin_noticessrc\Loader.php:1137
actionadmin_noticessrc\Loader.php:1138
filterwoocommerce_payment_gatewayssrc\Loader.php:1154
actionwoocommerce_shipping_zone_method_addedsrc\Loader.php:1155
actionwcshipping_shipping_zone_method_addedsrc\Loader.php:1156
actionwoocommerce_shipping_zone_method_deletedsrc\Loader.php:1165
actionwoocommerce_shipping_zone_method_status_toggledsrc\Loader.php:1174
actionrest_api_initsrc\Loader.php:1219
actionrest_api_initsrc\Loader.php:1220
actionrest_api_initsrc\Loader.php:1221
actionwcshipping_fetch_service_schemassrc\Loader.php:1222
filterwoocommerce_hidden_order_itemmetasrc\Loader.php:1229
filteris_protected_metasrc\Loader.php:1230
actionadd_meta_boxes_woocommerce_page_wc-orderssrc\Loader.php:1231
actionadd_meta_boxes_shop_ordersrc\Loader.php:1232
filterwoocommerce_shipping_fieldssrc\Loader.php:1233
actionwoocommerce_admin_shipping_fieldssrc\Loader.php:1234
filterwoocommerce_get_order_addresssrc\Loader.php:1235
filterwcshipping_shipping_service_settingssrc\Loader.php:1236
actionwoocommerce_email_after_order_tablesrc\Loader.php:1237
filterwoocommerce_email_classessrc\Loader.php:1238
actionwcshipping_cleanup_temp_filesrc\Loader.php:1239
actionwcshipping_send_return_label_email_delayedsrc\Loader.php:1240
actionadmin_print_footer_scriptssrc\Loader.php:1241
actionshutdownsrc\Loader.php:1261
filterrest_request_before_callbackssrc\Loader.php:1391
filterwoocommerce_get_batch_processorsrc\Migration\MigrationController.php:26
filterwoocommerce_debug_toolssrc\Migration\MigrationController.php:27
actionadmin_noticessrc\Migration\MigrationNotices.php:29
actionadmin_footersrc\Migration\MigrationNotices.php:30
filterwp_kses_allowed_htmlsrc\Migration\MigrationNotices.php:124
actionwcshipping_labels_migration_completedsrc\Migration\MigrationState.php:45
actionwcshipping_settings_migration_completedsrc\Migration\MigrationState.php:46
actionwcshipping_render_wc_settings_pagesrc\Onboarding\SettingsPage.php:58
actionadmin_noticessrc\Promo\PromoService.php:47
actionadmin_initsrc\Promo\PromoService.php:48
actionwoocommerce_order_list_table_extra_tablenavsrc\ScanForm\ScanForm.php:30
actionmanage_posts_extra_tablenavsrc\ScanForm\ScanForm.php:31
actionadmin_enqueue_scriptssrc\ScanForm\ScanForm.php:32
actionadmin_noticessrc\ServiceData\ServicesErrorNotice.php:55
filterwcshipping_jetpack_access_tokensrc\Testing\WCConnectE2EConnectionShim.php:86
filterwcshipping_jetpack_install_statussrc\Testing\WCConnectE2EConnectionShim.php:87
filterwcshipping_connection_owner_wpcom_datasrc\Testing\WCConnectE2EConnectionShim.php:88
filterwcshipping_account_settings_payloadsrc\Testing\WCConnectE2EConnectionShim.php:89
filterwcshipping_garden_is_config_enabledsrc\Testing\WCConnectE2EConnectionShim.php:90
filterwcshipping_garden_wpcloud_configsrc\Testing\WCConnectE2EConnectionShim.php:91
actionadmin_initsrc\Testing\WCConnectE2EConnectionShim.php:93
actionadmin_initsrc\Testing\WCConnectE2EConnectionShim.php:94
actionadmin_headsrc\Testing\WCConnectE2EConnectionShim.php:95
actionadmin_headsrc\Testing\WCConnectE2EConnectionShim.php:96
actionwcshipping_plugin_activationsrc\Tracks.php:42
actionwcshipping_plugin_deactivationsrc\Tracks.php:43
actionwcshipping_shipping_zone_method_addedsrc\Tracks.php:44
actionwcshipping_shipping_zone_method_deletedsrc\Tracks.php:45
actionwcshipping_shipping_zone_method_status_toggledsrc\Tracks.php:46
actionwcshipping_settings_savedsrc\Tracks.php:47
actionwcshipping_show_bannersrc\Tracks.php:48
actionwcshipping_tos_acceptedsrc\Tracks.php:49
actionwcshipping_tos_already_acceptedsrc\Tracks.php:50
actionwcshipping_setup_complete_banner_dismissedsrc\Tracks.php:51
actionwcshipping_settings_migration_startedsrc\Tracks.php:52
actionwcshipping_settings_migration_completedsrc\Tracks.php:53
actionwcshipping_labels_migration_startedsrc\Tracks.php:54
actionwcshipping_labels_migration_completedsrc\Tracks.php:55
actionwcshipping_wpcom_connect_site_startsrc\Tracks.php:56
actionwcshipping_wpcom_connect_site_errorsrc\Tracks.php:57
actionwcshipping_wpcom_connect_site_connectedsrc\Tracks.php:58
filterrest_post_dispatchsrc\WCShippingRESTController.php:129
filterwoocommerce_order_get_itemstemplates\emails\admin-return-label.php:107
filterwoocommerce_order_get_itemstemplates\emails\customer-return-label.php:112
filterwoocommerce_order_get_itemstemplates\emails\plain\admin-return-label.php:78
filterwoocommerce_order_get_itemstemplates\emails\plain\customer-return-label.php:86
actionplugins_loadedwoocommerce-shipping.php:109

Scheduled Events 5

wcshipping_send_return_label_email_delayed
wcshipping_cleanup_temp_file
wcshipping_fetch_service_schemas
wcshipping_send_return_label_email_delayed
wcshipping_cleanup_temp_file
Maintenance & Trust

WooCommerce Shipping Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 10, 2026
PHP min version7.4
Downloads1.3M

Community Trust

Rating42/100
Number of ratings15
Active installs60K
Alternatives

WooCommerce Shipping Alternatives

Shipping Labels for DHL eCommerce APAC

Shipping Labels for DHL eCommerce APAC

dhl-ecommerce-apac

A
100

Integrate DHL eCommerce APAC shipping services with your WooCommerce store. Supports High-Performance Order Storage (HPOS) and automated tracking upda &hellip;

100 No CVEs
AtoShip for WooCommerce

AtoShip for WooCommerce

atoship-for-woocommerce

A
100

Connect your WooCommerce store to AtoShip for discounted shipping labels, real-time rates, and tracking.

0 No CVEs
USPS Simple Shipping for Woocommerce

USPS Simple Shipping for Woocommerce

woo-usps-simple-shipping

A
100

USPS Simple provides real-time USPS domestic rates.

8K No CVEs
PostNL for WooCommerce

PostNL for WooCommerce

woo-postnl

A
100

The official PostNL plugin allows you to automate your e-commerce order process. Covering shipping services from PostNL Netherlands and Belgium.

3K No CVEs
DHL eCommerce (Benelux) for WooCommerce

DHL eCommerce (Benelux) for WooCommerce

dhlpwc

A
100

DHL eCommerce (Benelux) presents: The official DHL eCommerce for WooCommerce plugin to automate your e-commerce shipping process.

2K No CVEs
Developer Profile

WooCommerce Shipping Developer Profile

WooCommerce

36 plugins · 4.7M total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
234 days
View full developer profile
Detection Fingerprints

How We Detect WooCommerce Shipping

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/woocommerce-shipping/assets/stylesheets/main.css/wp-content/plugins/woocommerce-shipping/assets/stylesheets/blocks.style.css/wp-content/plugins/woocommerce-shipping/assets/stylesheets/legacy.css/wp-content/plugins/woocommerce-shipping/assets/javascript/app.js/wp-content/plugins/woocommerce-shipping/assets/javascript/admin-app.js/wp-content/plugins/woocommerce-shipping/assets/javascript/connection-banner.js/wp-content/plugins/woocommerce-shipping/assets/javascript/nux-app.js/wp-content/plugins/woocommerce-shipping/assets/javascript/shipping-services.js
Script Paths
/wp-content/plugins/woocommerce-shipping/assets/javascript/app.js/wp-content/plugins/woocommerce-shipping/assets/javascript/admin-app.js/wp-content/plugins/woocommerce-shipping/assets/javascript/connection-banner.js/wp-content/plugins/woocommerce-shipping/assets/javascript/nux-app.js/wp-content/plugins/woocommerce-shipping/assets/javascript/shipping-services.js
Version Parameters
woocommerce-shipping/assets/stylesheets/main.css?ver=woocommerce-shipping/assets/stylesheets/blocks.style.css?ver=woocommerce-shipping/assets/stylesheets/legacy.css?ver=woocommerce-shipping/assets/javascript/app.js?ver=woocommerce-shipping/assets/javascript/admin-app.js?ver=woocommerce-shipping/assets/javascript/connection-banner.js?ver=woocommerce-shipping/assets/javascript/nux-app.js?ver=woocommerce-shipping/assets/javascript/shipping-services.js?ver=

HTML / DOM Fingerprints

CSS Classes
wc-shipping-admin-appwc-shipping-connection-bannerwc-shipping-nux-appwc-shipping-services-app
Data Attributes
data-nux-noncedata-nux-nonce-actiondata-nux-nonce-name
JS Globals
wcshippingwcshipping_shipping_services_localize
REST Endpoints
/wp-json/wcshipping/v1/dismiss-notice
FAQ

Frequently Asked Questions about WooCommerce Shipping