CVE-2024-0702
📋 TL;DR
The Oliver POS WordPress plugin has missing capability checks on AJAX functions, allowing authenticated attackers with subscriber-level access or higher to perform unauthorized administrative actions like deactivating the plugin, disconnecting subscriptions, and syncing status. This affects all versions up to and including 2.4.1.8.
💻 Affected Systems
- Oliver POS - A WooCommerce Point of Sale (POS) plugin for WordPress
📦 What is this software?
Oliver Pos by Oliverpos
⚠️ Risk & Real-World Impact
Worst Case
Attackers could disable the POS system, disrupt business operations, manipulate subscription data, and potentially gain further access to compromise the WordPress installation.
Likely Case
Malicious users with subscriber accounts could disrupt POS functionality, cause service interruptions, and manipulate plugin settings affecting business operations.
If Mitigated
With proper user role management and network segmentation, impact is limited to plugin functionality disruption without broader system compromise.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. The vulnerability is in publicly accessible AJAX endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.1.9 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/oliver-pos/trunk/includes/class-pos-bridge-install.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Oliver POS plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 2.4.1.9+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Temporary User Role Restriction
allTemporarily restrict subscriber-level users from accessing the site until patch is applied.
Plugin Deactivation
linuxTemporarily deactivate Oliver POS plugin if not critical for operations.
wp plugin deactivate oliver-pos
🧯 If You Can't Patch
- Implement strict user role management and limit subscriber accounts
- Add web application firewall rules to block suspicious AJAX requests to the vulnerable endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Oliver POS → Version. If version is 2.4.1.8 or lower, system is vulnerable.Check Version:
wp plugin get oliver-pos --field=versionVerify Fix Applied:
After updating, verify version is 2.4.1.9 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual AJAX requests from subscriber-level users to /wp-admin/admin-ajax.php with action parameters related to Oliver POS functions
- Multiple plugin deactivation/reconnection attempts from non-admin users
Network Indicators:
- POST requests to admin-ajax.php with oliver_pos action parameters from unexpected user roles
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "oliver_pos" AND (user_role="subscriber" OR user_role="contributor")🔗 References
- https://plugins.trac.wordpress.org/browser/oliver-pos/trunk/includes/class-pos-bridge-install.php#L11
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b5c6f351-477b-4384-9863-fe3b45ddf21d?source=cve
- https://plugins.trac.wordpress.org/browser/oliver-pos/trunk/includes/class-pos-bridge-install.php#L11
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b5c6f351-477b-4384-9863-fe3b45ddf21d?source=cve
