CVE-2024-13513
📋 TL;DR
The Oliver POS WordPress plugin exposes sensitive clientToken data through logging functionality, allowing unauthenticated attackers to extract credentials and perform account takeover. This affects all versions up to 2.4.2.3. Sites using vulnerable versions are at risk of complete compromise.
💻 Affected Systems
- Oliver POS - A WooCommerce Point of Sale (POS) plugin for WordPress
📦 What is this software?
Oliver Pos by Oliverpos
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover where attackers gain administrative access, modify all user accounts, steal data, and potentially deploy malware or ransomware.
Likely Case
Attackers extract clientToken, modify administrator accounts, change passwords, and gain persistent access to the WordPress site.
If Mitigated
If logging is disabled and old log files are removed, the exposure vector is eliminated, though any previously leaked tokens could still be used.
🎯 Exploit Status
Exploitation requires accessing exposed log files containing clientToken, then using that token to modify user accounts via API calls.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 2.4.2.3
Restart Required: No
Instructions:
1. Update Oliver POS plugin to latest version. 2. Manually delete any existing log files created by the plugin. 3. Verify logging is disabled in plugin settings.
🔧 Temporary Workarounds
Delete existing log files
linuxRemove any log files created by the Oliver POS plugin to eliminate exposed clientToken data
find /path/to/wordpress -name "*oliver*log*" -type f -delete
find /path/to/wordpress -name "*.log" -type f -exec grep -l "clientToken" {} \; -delete
Disable plugin temporarily
allDeactivate Oliver POS plugin until patched to prevent exploitation
wp plugin deactivate oliver-pos
🧯 If You Can't Patch
- Disable the Oliver POS plugin completely and use alternative POS solutions
- Implement web application firewall rules to block access to log files and suspicious API requests
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel for Oliver POS plugin version. If version is 2.4.2.3 or earlier, the site is vulnerable. Also check for accessible log files containing 'clientToken'.Check Version:
wp plugin get oliver-pos --field=versionVerify Fix Applied:
Confirm plugin version is later than 2.4.2.3, verify no log files contain 'clientToken' strings, and test that logging functionality is disabled.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated access to log files
- Multiple failed authentication attempts followed by successful account modifications
- API requests with clientToken parameter from unusual IPs
Network Indicators:
- HTTP requests to plugin log file paths
- Unusual API calls to user modification endpoints
SIEM Query:
source="web_access" AND (uri_path="/wp-content/*log*" OR uri_path="*oliver*log*") AND status=200🔗 References
- https://plugins.trac.wordpress.org/browser/oliver-pos/trunk/includes/models/class-pos-bridge-user.php#L373
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3234731%40oliver-pos%2Ftrunk&old=3056051%40oliver-pos%2Ftrunk&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/bf6b7d8d-fb13-4eb4-b0b4-d0a10ad2a21e?source=cve
