Vulnerabilities and security researches foroliver-pos oliver-pos

Jun 07, 2024

CVE, Research URL: CVE-2024-1954
Home page URL: Security reports for Oliver POS – A WooCommerce Point of Sale (POS)
Application: Oliver POS – A WooCommerce Point of Sale (POS)
Date: Feb 28, 2024
Research Description: The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.1.8. This is due to missing or incorrect nonce validation in the includes/class-pos-bridge-install.php file. This makes it possible for unauthenticated attackers to perform several unauthorized actions like deactivating the plugin, disconnecting the subscription, syncing the status and more via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: max 2.4.1.9.
Status: vulnerable

CVE, Research URL: CVE-2024-0702
Home page URL: Security reports for Oliver POS – A WooCommerce Point of Sale (POS)
Application: Oliver POS – A WooCommerce Point of Sale (POS)
Date: Feb 29, 2024
Research Description: The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on several functions hooked via AJAX in the includes/class-pos-bridge-install.php file in all versions up to, and including, 2.4.1.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform several unauthorized actions like deactivating the plugin, disconnecting the subscription, syncing the status and more.
Affected versions: max 2.4.2.1.
Status: vulnerable

Feb 16, 2025

CVE, Research URL: CVE-2024-13513
Home page URL: Security reports for Oliver POS – A WooCommerce Point of Sale (POS)
Application: Oliver POS – A WooCommerce Point of Sale (POS)
Date: Feb 15, 2025
Research Description: The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4.2.3 via the logging functionality. This makes it possible for unauthenticated attackers to extract sensitive data including the plugin's clientToken, which in turn can be used to change user account information including emails and account type. This allows attackers to then change account passwords resulting in a complete site takeover. Version 2.4.2.3 disabled logging but left sites with existing log files vulnerable.
Affected versions: max 2.4.2.4.
Status: vulnerable

May 23, 2026

CVE, Research URL: CVE-2026-6072
Home page URL: Security reports for Oliver POS – A WooCommerce Point of Sale (POS)
Application: Oliver POS – A WooCommerce Point of Sale (POS)
Date: May 20, 2026
Research Description: The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.4.2.6. The plugin protects its entire /wp-json/pos-bridge/* REST API namespace through the oliver_pos_rest_authentication() permission callback, which uses a loose PHP comparison (==) to compare the attacker-supplied 'OliverAuth' header value against the 'oliver_pos_authorization_token' option. On fresh installations where the admin has not yet completed the connection flow, this option is unset (get_option returns false). Due to PHP's type juggling, the loose comparison '0' == false evaluates to true, allowing an unauthenticated attacker to bypass authentication by sending 'OliverAuth: 0'. This grants full access to all POS API endpoints, enabling attackers to read user data (including administrator details), update user profiles (including email addresses), and delete non-admin users. An admin account email reset can lead to site takeover.
Affected versions: max 2.4.2.6.
Status: vulnerable