WordPress Plugin Vulnerabilities

Oliver POS < 2.4.2.1 - Subscriber+ Unauthorized AJAX Calls

Description

The plugin is vulnerable to unauthorized access due to missing capability checks on several functions hooked via AJAX in the includes/class-pos-bridge-install.php file, allowing authenticated attackers, with subscriber-level access and above, to perform several unauthorized actions like deactivating the plugin, disconnecting the subscription, syncing the status and more.

Affects Plugins

Plugin icon
oliver-pos
Fixed in 2.4.2.1

References

CVE
CVE-2024-0702
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/b5c6f351-477b-4384-9863-fe3b45ddf21d

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Francesco Carlucci
Verified
No
WPVDB ID
d8bb5217-4dd4-4b54-88c2-5925e6125ccf

Timeline

Publicly Published
2024-02-19 (about 2 years ago)
Added
2024-02-19 (about 2 years ago)
Last Updated
2024-02-29 (about 2 years ago)

Other

Published
Title
Published
2025-09-22
Title
Frontend File Manager < 23.4 - Missing Authorization
Published
2026-02-07
Title
WpXmas-Snow <= 1.1 - Missing Authorization
Published
2026-01-11
Title
Post Expirator < 4.9.4 - Missing Authorization
Published
2026-02-11
Title
Gutenberg Blocks by Kadence Blocks < 3.6.0 - Missing Authorization
Published
2025-11-08
Title
Content Pilot < 2.1.8 - Missing Authorization