WP-Safety

WPCargo Track & Trace Security & Risk Analysis

wordpress.org/plugins/wpcargo

WPCargo is a track & trace system for courier, courier script, parcel, balikbayan system, shipment and transportation management system, ideal sol …

10K active installs v8.0.2 PHP 8.2+ WP + Updated Jul 23, 2025
delivery-calculatororder-trackingshipment-trackingstatus-trackingtransportation-management
37
D · High Risk
CVEs total6
Unpatched3
Last CVEMar 31, 2025
Plugin page Download
Safety Verdict

Is WPCargo Track & Trace Safe to Use in 2026?

High Risk

Score 37/100

WPCargo Track & Trace carries significant security risk with 6 known CVEs, 3 still unpatched. Consider switching to a maintained alternative.

6 known CVEs 3 unpatched Last CVE: Mar 31, 2025Updated 8mo ago
Risk Assessment

The WPCargo plugin version 8.0.2 exhibits a concerning security posture, despite some positive aspects. While it demonstrates a decent rate of prepared statement usage for SQL queries and proper output escaping, these strengths are overshadowed by significant weaknesses. The presence of 5 unprotected AJAX handlers presents a substantial attack surface, as these entry points can be exploited without proper authentication. Furthermore, the taint analysis reveals 3 high-severity flows with unsanitized paths, indicating potential for serious vulnerabilities like cross-site scripting or injection attacks. The plugin's history of 6 CVEs, with 3 currently unpatched (including one critical and one high), highlights a recurring pattern of security flaws. The types of past vulnerabilities, including authorization bypass, SQL injection, XSS, and code injection, are particularly worrying and suggest a systemic issue in how user input is handled and access is controlled. The plugin's last reported vulnerability was recent, suggesting ongoing security challenges.

Key Concerns

  • 5 unprotected AJAX handlers
  • 3 high severity unsanitized taint flows
  • 1 unpatched critical CVE
  • 1 unpatched high severity CVE
  • Uses unserialize() function
  • 2 SQL queries without prepared statements
  • 4 Nonce checks on 11 entry points
Vulnerabilities
6

WPCargo Track & Trace Security Vulnerabilities

CVEs by Year

3 CVEs in 2022
2022
2 CVEs in 2024 · unpatched
2024
1 CVE in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Critical
1
High
1
Medium
4

6 total CVEs

CVE-2025-31609medium · 4.3Authorization Bypass Through User-Controlled Key

WPCargo Track & Trace <= 8.0.1 - Authenticated (Contributor+) Insecure Direct Object Reference

Mar 31, 2025Unpatched
CVE-2024-54271medium · 4.3Missing Authorization

WPCargo Track & Trace <= 8.0.1 - Missing authorization to Authenticated (Subscriber+) Settings Update

Dec 11, 2024Unpatched
CVE-2024-44004high · 7.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WPCargo Track & Trace <= 8.0.2 - Unauthenticated SQL Injection

Sep 16, 2024Unpatched
CVE-2022-1435medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WPCargo Track & Trace <= 6.9.4 - Admin+ Stored Cross Site Scripting

Apr 25, 2022 Patched in 6.9.5 (638d)
CVE-2022-1436medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WPCargo Track & Trace <= 6.9.4 - Reflected Cross-Site Scripting

Apr 25, 2022 Patched in 6.9.5 (638d)
CVE-2021-25003critical · 9.8Improper Control of Generation of Code ('Code Injection')

WPCargo <= 6.8.9 - Unauthenticated Remote Code Execution

Feb 21, 2022 Patched in 6.9.0 (701d)
Code Analysis
Analyzed Mar 16, 2026

WPCargo Track & Trace Code Analysis

Dangerous Functions
2
Raw SQL Queries
5
17 prepared
Unescaped Output
139
772 escaped
Nonce Checks
4
Capability Checks
6
File Operations
1
External Requests
0
Bundled Libraries
1

Dangerous Functions Found

unserialize$unserialize_meta_fields = unserialize($get_meta_fields);admin\classes\class-wpc-export.php:302
unserialize$unser_meta_fields = unserialize($get_meta_fields);admin\classes\class-wpc-export.php:312

Bundled Libraries

Select2

SQL Query Safety

77% prepared22 total queries

Output Escaping

85% escaped911 total outputs
Data Flows
9 unsanitized

Data Flow Analysis

9 flows9 with unsanitized paths
save_metabox (admin\classes\class-wpc-metabox.php:221)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
5 unprotected

WPCargo Track & Trace Attack Surface

Entry Points11
Unprotected5

AJAX Handlers 5

authwp_ajax_update_import_option_ajax_requestadmin\classes\class-wpc-export-extend.php:9
authwp_ajax_search_shipperadmin\classes\class-wpc-export-extend.php:10
authwp_ajax_update_import_option_ajax_requestadmin\classes\class-wpc-export-extend.php:76
authwp_ajax_view_shipment_detailsadmin\includes\ajax-handler.php:32
noprivwp_ajax_view_shipment_detailsadmin\includes\ajax-handler.php:33

Shortcodes 6

[wpcargo_trackform] classes\class-wpc-shortcode.php:7
[wpcargo_trackresults] classes\class-wpc-shortcode.php:8
[wpcargo_multi_track] classes\class-wpc-shortcode.php:9
[wpcargo_multi_track_result] classes\class-wpc-shortcode.php:10
[wpcargo_account] classes\class-wpc-shortcode.php:19
[wpc-ca-account] classes\class-wpc-shortcode.php:20
WordPress Hooks 96
actionshow_user_profileadmin\classes\class-user.php:7
actionedit_user_profileadmin\classes\class-user.php:8
actionpersonal_options_updateadmin\classes\class-user.php:9
actionedit_user_profile_updateadmin\classes\class-user.php:10
actionadmin_enqueue_scriptsadmin\classes\class-wpc-admin-scripts.php:7
actionadmin_headadmin\classes\class-wpc-admin-scripts.php:72
actionadmin_menuadmin\classes\class-wpc-admin-settings.php:8
actionadmin_initadmin\classes\class-wpc-admin-settings.php:10
filtermanage_wpcargo_shipment_posts_columnsadmin\classes\class-wpc-custom-table.php:5
actionmanage_wpcargo_shipment_posts_custom_columnadmin\classes\class-wpc-custom-table.php:22
filtermanage_edit-wpcargo_shipment_sortable_columnsadmin\classes\class-wpc-custom-table.php:92
actionpre_get_postsadmin\classes\class-wpc-custom-table.php:101
actionquick_edit_custom_boxadmin\classes\class-wpc-custom-table.php:128
actionbulk_edit_custom_boxadmin\classes\class-wpc-custom-table.php:129
actionsave_postadmin\classes\class-wpc-custom-table.php:186
actionadmin_menuadmin\classes\class-wpc-email-settings.php:8
actionadmin_initadmin\classes\class-wpc-email-settings.php:10
actionadmin_menuadmin\classes\class-wpc-export-extend.php:8
filterwp_mail_content_typeadmin\classes\class-wpc-metabox.php:12
actionwpcargo_shipper_meta_sectionadmin\classes\class-wpc-metabox.php:14
actionwpcargo_receiver_meta_sectionadmin\classes\class-wpc-metabox.php:15
actionwpcargo_shipment_meta_sectionadmin\classes\class-wpc-metabox.php:16
filterwpcargo_after_reciever_meta_section_sepadmin\classes\class-wpc-metabox.php:17
actionsave_post_wpcargo_shipmentadmin\classes\class-wpc-metabox.php:18
actionadd_meta_boxesadmin\classes\class-wpc-metabox.php:19
actionpost_submitbox_misc_actionsadmin\classes\class-wpc-metabox.php:20
filterlogin_redirectadmin\classes\class-wpc-metabox.php:22
filterwpcargo_shipment_details_mbadmin\classes\class-wpc-metabox.php:23
actionafter_setup_themeadmin\classes\class-wpc-metabox.php:24
actionadmin_initadmin\classes\class-wpc-metabox.php:25
actionadmin_menuadmin\classes\class-wpc-mp-settings.php:7
actionadmin_initadmin\classes\class-wpc-mp-settings.php:8
actionwpc_add_settings_navadmin\classes\class-wpc-mp-settings.php:9
actioninitadmin\classes\class-wpc-post-types.php:7
actionadmin_menuadmin\classes\class-wpc-print-admin.php:7
actionadmin_print_headeradmin\classes\class-wpc-print-admin.php:8
actionadmin_print_shipperadmin\classes\class-wpc-print-admin.php:9
actionadmin_print_shipmentadmin\classes\class-wpc-print-admin.php:10
actionadmin_enqueue_scriptsadmin\classes\class-wpc-shipment-map.php:7
actionadmin_menuadmin\classes\class-wpc-shipment-map.php:9
actionadmin_initadmin\classes\class-wpc-shipment-map.php:10
actionwpc_add_settings_navadmin\classes\class-wpc-shipment-map.php:11
actionrestrict_manage_postsadmin\includes\filters.php:5
filterparse_queryadmin\includes\filters.php:92
filterposts_joinadmin\includes\filters.php:167
filterposts_whereadmin\includes\filters.php:175
filterwpcargo_account_queryadmin\includes\filters.php:201
actioninitadmin\includes\functions.php:219
actionwpcargo_fields_option_settings_groupadmin\includes\hooks.php:19
actionwpcargo_email_footer_divideradmin\includes\hooks.php:20
actionbefore_wpcargo_shipment_historyadmin\includes\hooks.php:22
actionwpcsr_create_order_after_form_wrapperadmin\includes\hooks.php:24
actionwpc_pq_after_form_wrapperadmin\includes\hooks.php:25
actionwpcfe_before_invoice_contentadmin\includes\hooks.php:32
actionwpcfe_invoice_site_infoadmin\includes\hooks.php:33
actionwpcfe_invoice_barcode_infoadmin\includes\hooks.php:34
actionwpcfe_invoice_shipper_infoadmin\includes\hooks.php:35
actionwpcfe_invoice_receiver_infoadmin\includes\hooks.php:36
actionwpcfe_end_invoice_sectionadmin\includes\hooks.php:37
actionwpcfe_before_invoice_contentadmin\includes\hooks.php:39
actionplugins_loadedadmin\includes\hooks.php:42
actionwpcargo_after_track_detailsadmin\includes\hooks.php:203
actionwpcargo_after_track_detailsadmin\includes\hooks.php:230
actionwpc_cf_after_form_field_addadmin\includes\hooks.php:242
actionwpc_cf_after_form_field_editadmin\includes\hooks.php:251
actionwp_footeradmin\includes\hooks.php:252
filterplugin_row_metaadmin\includes\hooks.php:272
actionquick_edit_custom_boxadmin\includes\hooks.php:282
actionbulk_edit_custom_boxadmin\includes\hooks.php:283
actionsave_postadmin\includes\hooks.php:334
actiondeactivated_pluginadmin\includes\hooks.php:343
actionwpcargo_before_shipment_detailsadmin\includes\hooks.php:487
actionwpc_add_settings_navadmin\includes\hooks.php:653
actionpre_post_updateadmin\includes\logs.php:178
actionsave_postadmin\includes\logs.php:179
actiondelete_postadmin\includes\logs.php:180
actionwp_trash_postadmin\includes\logs.php:181
actionuntrash_postadmin\includes\logs.php:182
actionupdated_post_metaadmin\includes\logs.php:183
actionwpcargo_print_btnclasses\class-wpc-print.php:7
actionwp_enqueue_scriptsclasses\class-wpc-scripts.php:7
actionwp_print_stylesclasses\class-wpc-scripts.php:8
actionwp_headclasses\class-wpc-scripts.php:85
actionwpcargo_track_formclasses\class-wpc-shortcode.php:11
actionwpcargo_multi_track_formclasses\class-wpc-shortcode.php:12
actionwpcargo_track_result_formclasses\class-wpc-shortcode.php:13
actionwpcargo_multi_track_result_formclasses\class-wpc-shortcode.php:14
actionwpcargo_track_header_detailsclasses\class-wpc-shortcode.php:15
actionwpcargo_track_shipper_detailsclasses\class-wpc-shortcode.php:16
actionwpcargo_track_shipment_detailsclasses\class-wpc-shortcode.php:17
actionwpcargo_after_package_detailsincludes\packages.php:119
actionwpcargo_after_package_detailsincludes\packages.php:126
actionwpcargo_after_package_totalsincludes\packages.php:156
actionwpcargo_after_package_details_scriptincludes\packages.php:157
actionwpcargo_after_save_shipmentincludes\packages.php:507
actioninitwpcargo.php:53
Maintenance & Trust

WPCargo Track & Trace Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedJul 23, 2025
PHP min version8.2
Downloads377K

Community Trust

Rating80/100
Number of ratings30
Active installs10K
Alternatives

WPCargo Track & Trace Alternatives

Advanced Shipment Tracking for WooCommerce

Advanced Shipment Tracking for WooCommerce

woo-advanced-shipment-tracking

A
98

Add shipment tracking info to WooCommerce orders, send tracking numbers to customers via email, and let them track deliveries from My Account.

60K 2 CVEs
Orders Tracking for WooCommerce

Orders Tracking for WooCommerce

woo-orders-tracking

A
98

Easily import/manage your tracking numbers, add tracking numbers to PayPal and send email notifications to customers.

10K 3 CVEs
AfterShip Tracking – All-In-One WooCommerce Order Tracking (Free plan available)

AfterShip Tracking – All-In-One WooCommerce Order Tracking (Free plan available)

aftership-woocommerce-tracking

A
99

Track orders in one place. shipment tracking, automated notifications, order lookup, branded tracking page, delivery day prediction

8K 1 CVE
ParcelWILL (Formerly ParcelPanel) – Shipment Tracking, Tracking & Order Tracking for WooCommerce

ParcelWILL (Formerly ParcelPanel) – Shipment Tracking, Tracking & Order Tracking for WooCommerce

parcelpanel

A
96

Free Plan Available. Order Tracking, Shipment Tracking. The best WooCommerce Order Tracker for Track Order Status & Delivery Notifications

8K 2 CVEs
TrackShip for WooCommerce

TrackShip for WooCommerce

trackship-for-woocommerce

A
98

TrackShip auto-tracks orders, adds a branded tracking experience to your store and handles all customer touchpoints from shipping to delivery

7K 2 CVEs
Developer Profile

WPCargo Track & Trace Developer Profile

Arni Cinco

3 plugins · 10K total installs

56
trust score
Avg Security Score
67/100
Avg Patch Time
659 days
View full developer profile
Detection Fingerprints

How We Detect WPCargo Track & Trace

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wpcargo/admin/assets/js/jquery.datetimepicker.full.min.js/wp-content/plugins/wpcargo/admin/assets/js/jquery.repeater.js/wp-content/plugins/wpcargo/admin/assets/js/wpcargo-admin.js/wp-content/plugins/wpcargo/admin/assets/js/select2.full.min.js/wp-content/plugins/wpcargo/admin/assets/css/jquery.datetimepicker.min.css/wp-content/plugins/wpcargo/admin/assets/css/select2.min.css/wp-content/plugins/wpcargo/admin/assets/css/admin-style.css/wp-content/plugins/wpcargo/admin/assets/js/color-picker.js+3 more
Script Paths
/wp-content/plugins/wpcargo/admin/assets/js/jquery.datetimepicker.full.min.js/wp-content/plugins/wpcargo/admin/assets/js/jquery.repeater.js/wp-content/plugins/wpcargo/admin/assets/js/wpcargo-admin.js/wp-content/plugins/wpcargo/admin/assets/js/select2.full.min.js/wp-content/plugins/wpcargo/admin/assets/js/color-picker.js/wp-content/plugins/wpcargo/admin/assets/js/wpc-multiselect-reports.js+1 more
Version Parameters
wpcargo-admin-js?ver=wpcargo-datetimepicker?ver=wpcargo-admin-css?ver=wpcargo-select2-css?ver=wpcargo-multiple-package-style-admin?ver=wpcargo-multiselect-export?ver=wpc-autocomplete-ajax?ver=

HTML / DOM Fingerprints

CSS Classes
wpc-cf-setting-adminemail-setting-admin-formwpc-settings-navbook-submitbutton-wpcargobutton-submitaddress-listsms-admin-form
HTML Comments
Defined constantInclude filesAdminFrontend+5 more
Data Attributes
data-wpcargo-base-color
JS Globals
wpcargoAJAXHandlerwpc_ie_ajaxscripthandler
FAQ

Frequently Asked Questions about WPCargo Track & Trace