Vulnerabilities and security researches forvitepos-lite vitepos-lite

Jun 06, 2024

CVE, Research URL: CVE-2024-33574
Home page URL: Security reports for Vitepos – Point of sale (POS) plugin for WooCommerce
Application: Vitepos – Point of sale (POS) plugin for WooCommerce
Date: May 08, 2024
Research Description: Missing Authorization vulnerability in appsbd Vitepos.This issue affects Vitepos: from n/a through 3.0.1.
Affected versions: max 3.0.2.
Status: vulnerable

Feb 21, 2025

CVE, Research URL: CVE-2025-26750
Home page URL: Security reports for Vitepos – Point of sale (POS) plugin for WooCommerce
Application: Vitepos – Point of sale (POS) plugin for WooCommerce
Date: Feb 22, 2025
Research Description: Missing Authorization vulnerability in appsbd Vitepos vitepos-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Vitepos: from n/a through <= 3.1.3.
Affected versions: max 3.1.4.
Status: vulnerable

Apr 03, 2025

CVE, Research URL: CVE-2025-22277
Home page URL: Security reports for Vitepos – Point of sale (POS) plugin for WooCommerce
Application: Vitepos – Point of sale (POS) plugin for WooCommerce
Date: Apr 01, 2025
Research Description: Authentication Bypass Using an Alternate Path or Channel vulnerability in appsbd Vitepos vitepos-lite allows Authentication Abuse.This issue affects Vitepos: from n/a through <= 3.1.4.
Affected versions: max 3.1.5.
Status: vulnerable

Apr 19, 2025

CVE, Research URL: CVE-2025-39535
Home page URL: Security reports for Vitepos – Point of sale (POS) plugin for WooCommerce
Application: Vitepos – Point of sale (POS) plugin for WooCommerce
Date: Apr 17, 2025
Research Description: Authentication Bypass Using an Alternate Path or Channel vulnerability in appsbd Vitepos vitepos-lite allows Authentication Abuse.This issue affects Vitepos: from n/a through <= 3.1.7.
Affected versions: max 3.1.8.
Status: vulnerable

Dec 11, 2025

CVE, Research URL: CVE-2025-13156
Home page URL: Security reports for Vitepos – Point of sale (POS) plugin for WooCommerce
Application: Vitepos – Point of sale (POS) plugin for WooCommerce
Date: Nov 21, 2025
Research Description: The Vitepos – Point of Sale (POS) for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the insert_media_attachment() function in all versions up to, and including, 3.3.0. This is due to the save_update_category_img() function accepting user-supplied file types without validation when processing category images. This makes it possible for authenticated attackers, with subscriber level access and above, to upload arbitrary files on the affected site's server which makes remote code execution possible.
Affected versions: max 3.3.1.
Status: vulnerable

Jun 24, 2026

CVE, Research URL: CVE-2026-8157
Home page URL: Security reports for Vitepos – Point of sale (POS) plugin for WooCommerce
Application: Vitepos – Point of sale (POS) plugin for WooCommerce
Date: Jun 22, 2026
Research Description: The Vitepos WordPress plugin before 3.4.2 does not properly restrict the roles that can be assigned when creating new users via one of its REST API endpoints, allowing authenticated users with a custom Vitepos WordPress plugin before 3.4.2 role to escalate privileges to administrator.
Affected versions: max 3.4.2.
Status: vulnerable