Does duckPOS have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is duckPOS compatible with WordPress 6.9.4?

According to WordPress.org data, duckPOS 1.1.6 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is duckPOS compatible with PHP 7.4+?

duckPOS requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is duckPOS updated?

duckPOS was last updated on Feb 16, 2026. Frequent updates are generally a positive security signal.

What is duckPOS's security score?

duckPOS has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

duckPOS Security & Risk Analysis

wordpress.org/plugins/duckpos

A really simple POS display of your sites products with the ability to create simple EMV POS payments or checkout or use other payment gateways.

0 active installs v1.1.6 PHP 7.4+ WP 6.0+ Updated Feb 16, 2026

poswoocommerce

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is duckPOS Safe to Use in 2026?

Generally Safe

Score 100/100

duckPOS has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 2mo ago

Risk Assessment

The duckpos v1.1.6 plugin exhibits a generally strong security posture with several good practices in place. The absence of dangerous functions, file operations, and external HTTP requests is positive. Notably, all SQL queries are properly prepared, and a high percentage of output is escaped, significantly mitigating common injection and XSS risks. The plugin also includes a reasonable number of nonce and capability checks, indicating an effort to protect sensitive operations. However, the presence of two REST API routes without permission callbacks represents a clear security concern. While taint analysis showed no issues, and there is no known vulnerability history, these unprotected entry points could allow unauthorized access or manipulation of data if these endpoints are exploitable. In conclusion, the plugin has a good foundation for security, but the unprotected REST API routes are a critical weakness that needs immediate attention. Addressing these specific entry points would further enhance its overall security.

Key Concerns

REST API routes without permission checks

Vulnerabilities

None known

duckPOS Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Version History

duckPOS Release Timeline

v1.1.6Current

v1.1.5

v1.1.4

v1.1.3

v1.1.2

Code Analysis

Analyzed Mar 17, 2026

duckPOS Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

86 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

97% escaped89 total outputs

Attack Surface

2 unprotected

duckPOS Attack Surface

Entry Points13

Unprotected2

REST API Routes 12

GET/wp-json/duckpos/v1/productsincludes\rest-api.php:8

GET/wp-json/duckpos/v1/categoriesincludes\rest-api.php:42

POST/wp-json/duckpos/v1/add-to-cartincludes\rest-api.php:49

POST/wp-json/duckpos/v1/payplus-gatewayincludes\rest-api.php:73

POST/wp-json/duckpos/v1/payplus-emvincludes\rest-api.php:99

GET/wp-json/duckpos/v1/available-gatewaysincludes\rest-api.php:122

POST/wp-json/duckpos/v1/pay-with-selected-gatewayincludes\rest-api.php:132

POST/wp-json/duckpos/v1/pay-with-cashincludes\rest-api.php:162

GET/wp-json/duckpos/v1/todays-ordersincludes\rest-api.php:186

GET/wp-json/duckpos/v1/todays-printed-ordersincludes\rest-api.php:196

POST/wp-json/duckpos/v1/calculate-cart-totalsincludes\rest-api.php:207

POST/wp-json/duckpos/v1/mark-order-printed/(?P<order_id>\d+)includes\rest-api.php:224

Shortcodes 1

[duckpos_pos_page] duckpos.php:73

WordPress Hooks 14

actionplugins_loadedduckpos.php:31

actionwp_enqueue_scriptsduckpos.php:52

filtershow_admin_barduckpos.php:64

actionwoocommerce_thankyouduckpos.php:363

actionadmin_bar_menuduckpos.php:394

actionadmin_menuduckpos.php:397

actionadmin_initduckpos.php:400

actionadmin_initincludes\admin-settings.php:277

actionwoocommerce_before_calculate_totalsincludes\class-duckpos-sales-rules.php:14

actionwoocommerce_add_to_cartincludes\class-duckpos-sales-rules.php:127

actionwoocommerce_cart_item_removedincludes\class-duckpos-sales-rules.php:128

actionrest_api_initincludes\rest-api.php:6

actionwoocommerce_checkout_update_order_metaincludes\rest-api.php:1629

actionwoocommerce_order_status_changedincludes\rest-api.php:1663

Maintenance & Trust

duckPOS Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 16, 2026

PHP min version7.4

Downloads557

Community Trust

Rating0/100

Number of ratings0

Active installs0

Alternatives

duckPOS Alternatives

MailPoet – Newsletters, Email Marketing, and Automation

mailpoet

Send beautiful newsletters from WordPress. Collect subscribers with signup forms, automate your emails for WooCommerce, blog post notifications & more

500K 3 CVEs

Filter Everything — WordPress & WooCommerce Filters

filter-everything

100

The most flexible filters plugin for WordPress & WooCommerce – filter anything.

50K No CVEs

Kliken: Ads + Pixel for Meta

kliken-ads-pixel-for-meta

100

Drive Sales on Facebook and Instagram in 5 minutes—upload your catalog, implement the Meta Pixel & Conversions API, and grow via Meta Advantage+ now.

40K No CVEs

PayTR Sanal POS WooCommerce – iFrame API

paytr-sanal-pos-woocommerce-iframe-api

100

PayTR üyeliğiniz ile WooCommerce üzerinden ödeme almanız için gerekli altyapı.

10K No CVEs

WPC Composite Products for WooCommerce

wpc-composite-products

100

WPC Composite Products provide a powerful kit-building solution for WooCommerce store.

9K 1 CVE

Developer Profile

duckPOS Developer Profile

PayPlus Tech Team

4 plugins · 1K total installs

trust score

Avg Security Score

95/100

Avg Patch Time

8 days

View full developer profile

Detection Fingerprints

How We Detect duckPOS

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/duckpos/assets/js/vue.min.js/wp-content/plugins/duckpos/assets/css/pos-app.css/wp-content/plugins/duckpos/assets/js/pos-app-insert.min.js/wp-content/plugins/duckpos/assets/js/pos-app.min.js/wp-content/plugins/duckpos/assets/images/noImage.png

Script Paths

vueduckpos-pos-app-insertduckpos-pos-app

Version Parameters

duckpos/assets/css/pos-app.css?ver=duckpos/assets/js/pos-app-insert.min.js?ver=duckpos/assets/js/pos-app.min.js?ver=

HTML / DOM Fingerprints

Data Attributes

data-duckpos-payment-typedata-duckpos-order-id

JS Globals

window.duckpos_translations

REST Endpoints

/wp-json/duckpos/v1/get_products/wp-json/duckpos/v1/cart/add/wp-json/duckpos/v1/cart/update/wp-json/duckpos/v1/cart/remove/wp-json/duckpos/v1/cart/clear/wp-json/duckpos/v1/checkout/wp-json/duckpos/v1/orders/recent/wp-json/duckpos/v1/orders/printed/wp-json/duckpos/v1/orders/unprinted/wp-json/duckpos/v1/payment/payplus/wp-json/duckpos/v1/payment/payplus_emv

Shortcode Output

[duckpos_pos_page]

FAQ