CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13513 – Oliver POS – A WooCommerce Point of Sale (POS) <= 2.4.2.3 - Sensitive Information Exposure to Privilege Escalation
https://notcve.org/view.php?id=CVE-2024-13513
14 Feb 2025 — The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4.2.3 via the logging functionality. This makes it possible for unauthenticated attackers to extract sensitive data including the plugin's clientToken, which in turn can be used to change user account information including emails and account type. This allows attackers to then change account passwords resulting in a complete site takeover. Version 2.... • https://plugins.trac.wordpress.org/browser/oliver-pos/trunk/includes/models/class-pos-bridge-user.php#L373 • CWE-862: Missing Authorization •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1954 – Oliver POS – A WooCommerce Point of Sale (POS) <= 2.4.1.8 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2024-1954
27 Feb 2024 — The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.1.8. This is due to missing or incorrect nonce validation in the includes/class-pos-bridge-install.php file. This makes it possible for unauthenticated attackers to perform several unauthorized actions like deactivating the plugin, disconnecting the subscription, syncing the status and more via a forged request granted they can trick a site administrat... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3035108%40oliver-pos&new=3035108%40oliver-pos&sfp_email=&sfph_mail= • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-0702 – Oliver POS – A WooCommerce Point of Sale (POS) <= 2.4.2.1 - Missing Authorization
https://notcve.org/view.php?id=CVE-2024-0702
19 Feb 2024 — The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on several functions hooked via AJAX in the includes/class-pos-bridge-install.php file in all versions up to, and including, 2.4.1.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform several unauthorized actions like deactivating the plugin, disconnecting the subscription, syncing the status and more. Oliver POS: u... • https://plugins.trac.wordpress.org/browser/oliver-pos/trunk/includes/class-pos-bridge-install.php#L11 • CWE-862: Missing Authorization •