Description
The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.4.2.6. The plugin protects its entire /wp-json/pos-bridge/* REST API namespace through the oliver_pos_rest_authentication() permission callback, which uses a loose PHP comparison (==) to compare the attacker-supplied 'OliverAuth' header value against the 'oliver_pos_authorization_token' option. On fresh installations where the admin has not yet completed the connection flow, this option is unset (get_option returns false). Due to PHP's type juggling, the loose comparison '0' == false evaluates to true, allowing an unauthenticated attacker to bypass authentication by sending 'OliverAuth: 0'. This grants full access to all POS API endpoints, enabling attackers to read user data (including administrator details), update user profiles (including email addresses), and delete non-admin users. An admin account email reset can lead to site takeover.
Published: 2026-05-20
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability resides in the Oliver POS – A WooCommerce Point of Sale plugin for WordPress and allows an attacker to bypass the REST API authentication mechanism by sending a crafted HTTP header. The plugin’s authorization callback compares the value of the attacker‑supplied 'OliverAuth' header to the stored 'oliver_pos_authorization_token' option using PHP’s loose comparison operator. On a fresh install where the option is unset, the comparison '0' == false evaluates to true, allowing an unauthenticated user to obtain full access to all POS API endpoints. With this access, an attacker can read, modify, or delete user data, including administrator accounts, and can potentially reset an admin email to seize control of the site.

Affected Systems

All installations of Oliver POS version 2.4.2.6 or earlier on WordPress sites are affected. The vulnerability exists in the '/wp-json/pos-bridge/*' REST API namespace served by the plugin, and impacts any site that has installed a vulnerable version of the plugin.

Risk and Exploitability

The CVSS score of 6.5 classifies the issue as medium severity, and no EPSS value is publicly available. The vulnerability is not listed in the CISA KeV catalog. The likely attack vector is a simple HTTP request to any REST endpoint with the header 'OliverAuth: 0', which requires no authentication or user interaction beyond the plugin being installed. Successful exploitation would grant the attacker the same privileges as a fully authenticated user, potentially leading to data breach or complete site takeover.

Generated by OpenCVE AI on May 20, 2026 at 03:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Oliver POS to a version newer than 2.4.2.6 where the authentication comparison is fixed.
  • If an upgrade is not immediately possible, change the 'oliver_pos_authorization_token' option to a random non‑zero value or remove it, then complete the connection flow to set a proper token and disable the plugin’s authentication bypass.
  • Restrict access to the plugin’s REST API by blocking the /wp-json/pos-bridge/* endpoints at the web server or firewall level so that only trusted hosts can reach them.
  • Disable or uninstall the plugin if it is not required for business operations.

Generated by OpenCVE AI on May 20, 2026 at 03:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Oliverpos
Oliverpos oliver Pos – A Woocommerce Point Of Sale (pos)
Wordpress
Wordpress wordpress
Vendors & Products Oliverpos
Oliverpos oliver Pos – A Woocommerce Point Of Sale (pos)
Wordpress
Wordpress wordpress

Wed, 20 May 2026 02:15:00 +0000

Type Values Removed Values Added
Description The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.4.2.6. The plugin protects its entire /wp-json/pos-bridge/* REST API namespace through the oliver_pos_rest_authentication() permission callback, which uses a loose PHP comparison (==) to compare the attacker-supplied 'OliverAuth' header value against the 'oliver_pos_authorization_token' option. On fresh installations where the admin has not yet completed the connection flow, this option is unset (get_option returns false). Due to PHP's type juggling, the loose comparison '0' == false evaluates to true, allowing an unauthenticated attacker to bypass authentication by sending 'OliverAuth: 0'. This grants full access to all POS API endpoints, enabling attackers to read user data (including administrator details), update user profiles (including email addresses), and delete non-admin users. An admin account email reset can lead to site takeover.
Title Oliver POS <= 2.4.2.6 - Unauthenticated Authorization Bypass Through User-Controlled Key to 'OliverAuth' Header
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Oliverpos Oliver Pos – A Woocommerce Point Of Sale (pos)
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-20T13:13:52.305Z

Reserved: 2026-04-10T14:00:15.790Z

Link: CVE-2026-6072

cve-icon Vulnrichment

Updated: 2026-05-20T13:13:49.072Z

cve-icon NVD

Status : Deferred

Published: 2026-05-20T02:16:37.207

Modified: 2026-05-20T13:54:54.890

Link: CVE-2026-6072

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:38:15Z

Weaknesses