CVE-2026-6072: Oliver POS <= 2.4.2.6 - Unauthenticated Authorization Bypass Through User-Controlled Key to 'OliverAuth' Header
The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.4.2.6. The plugin protects its entire /wp-json/pos-bridge/* REST API namespace through the oliver_pos_rest_authentication() permission callback, which uses a loose PHP comparison (==) to compare the attacker-supplied 'OliverAuth' header value against the 'oliver_pos_authorization_token' option. On fresh installations where the admin has not yet completed the connection flow, this option is unset (get_option returns false). Due to PHP's type juggling, the loose comparison '0' == false evaluates to true, allowing an unauthenticated attacker to bypass authentication by sending 'OliverAuth: 0'. This grants full access to all POS API endpoints, enabling attackers to read user data (including administrator details), update user profiles (including email addresses), and delete non-admin users. An admin account email reset can lead to site takeover.
Affected Software
Event History
Frequently Asked Questions
What is the severity of CVE-2026-6072?
CVE-2026-6072 is considered a medium severity vulnerability due to its potential for unauthorized access.
How do I fix CVE-2026-6072?
To fix CVE-2026-6072, upgrade to a version of Oliver POS that is newer than 2.4.2.6.
What impact does CVE-2026-6072 have on my system?
CVE-2026-6072 allows for an unauthorized authorization bypass, potentially enabling attackers to gain access to sensitive functions.
Is CVE-2026-6072 exploitable over the internet?
Yes, CVE-2026-6072 can be exploited remotely if the vulnerable version of Oliver POS is publicly accessible.
What versions of Oliver POS are affected by CVE-2026-6072?
CVE-2026-6072 affects all versions of Oliver POS up to and including 2.4.2.6.