Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale)

barcode-scanner-lite-pos-to-manage-products-inventory-and-orders · by ukrsolution · wordpress.org ↗ · SVN ↗
Active installs
1k+
Current version
1.12.2
Added
2021-08-03
Last updated
2026-06-24 (8d ago)
First seen by beacon
2mo ago
Total downloads
42,870

Statistics

2024-06-17 → 2026-06-15 · 729 days
Downloads today
19
7-day total 139
Week over week
▲ +6%
vs prior 7 days
30-day trend
flat
▼ -60% MoM
Abandonment
○○○○○
healthy
Downloads/day Linear trend
3612711819002024-062024-102025-022025-062025-102026-022026-06
3272451648202026-032026-042026-042026-052026-052026-06
6347321602026-052026-052026-052026-062026-062026-06

Active versions

1.121.111.81.6
1.12 · 43.5%1.11 · 19.5%1.8 · 11.9%1.6 · 9.4%other · 8.0%1.10 · 7.7%

Ratings

5★
52
4★
0
3★
0
2★
0
1★
0

Support: 0/0 resolved

Alerts (0)

No open alerts.

Show 1 resolved alert
Critical code_pattern Resolved · benign_architectural_concern 2026-04-30 15:25:31 (2mo ago)
Slugbarcode-scanner-lite-pos-to-manage-products-inventory-and-orders
Patternunserialize_after_remote_call
Kindbuiltin
Version1.12.1
Hit count1
First hit
File
src/features/updater/WpAutoUpdate.php
Line
149
Snippet
L146: $request = wp_remote_post($this->update_path, $params); → L149: $serverData = @unserialize($request['body']);
Explanationa remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file — classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised.
View raw JSON
{
    "slug": "barcode-scanner-lite-pos-to-manage-products-inventory-and-orders",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "1.12.1",
    "hit_count": 1,
    "first_hit": {
        "file": "src/features/updater/WpAutoUpdate.php",
        "line": 149,
        "snippet": "L146: $request = wp_remote_post($this->update_path, $params);  \u2192  L149: $serverData = @unserialize($request['body']);"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised."
}

SVN committers (2)

Accounts with actual commit access to barcode-scanner-lite-pos-to-manage-products-inventory-and-orders on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer Member since Commits First commit Latest commit
Dmitry V. (CEO of "UKR Solution") 2016-01-08 154 2021-08-03 · r2577245 2026-05-12 · r3529543
plugin-master 2007-03-09 1 2021-07-15 · r2564695 2021-07-15 · r2564695

Readme contributors (1)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor Member since SVN access Status
Dmitry V. (CEO of "UKR Solution") 2016-01-08 154 commits Active

Versions (3 most recent)

Version Released Download
1.12.2 2026-05-12 · 1mo ago zip
1.12.1 2026-04-24 · 2mo ago zip
1.10.5 2025-09-18 · 9mo ago zip