CVE-2024-0702: CWE-862 Missing Authorization in oliverpos Oliver POS – A WooCommerce Point of Sale (POS)
The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on several functions hooked via AJAX in the includes/class-pos-bridge-install.php file in all versions up to, and including, 2.4.2.1 This makes it possible for authenticated attackers, with subscriber-level access and above, to perform several unauthorized actions like deactivating the plugin, disconnecting the subscription, syncing the status and more.
AI Analysis
Technical Summary
CVE-2024-0702 affects the Oliver POS WooCommerce Point of Sale plugin for WordPress, where missing capability checks on AJAX functions in includes/class-pos-bridge-install.php allow authenticated users with minimal privileges (subscriber-level and above) to execute unauthorized actions. These actions include deactivating the plugin, disconnecting subscriptions, and syncing status. The vulnerability is categorized under CWE-862 (Missing Authorization) and has a CVSS 3.1 base score of 7.3, reflecting a high severity due to network attack vector, low attack complexity, and impact on confidentiality, integrity, and availability. No patch or official remediation guidance is currently available from the vendor, and no exploits are known in the wild.
Potential Impact
An attacker with subscriber-level or higher access can perform unauthorized administrative actions on the Oliver POS plugin, potentially disrupting point of sale operations by deactivating the plugin or disconnecting subscriptions. This could lead to loss of service availability and integrity of the POS system. Confidentiality impact is limited but present due to unauthorized access to certain plugin functions. The overall impact is rated high based on the CVSS score.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict user roles to trusted individuals only and monitor for suspicious activity related to the plugin. Avoid granting subscriber or higher privileges to untrusted users. Do not rely on the plugin's current authorization checks for security.
CVE-2024-0702: CWE-862 Missing Authorization in oliverpos Oliver POS – A WooCommerce Point of Sale (POS)
Description
The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on several functions hooked via AJAX in the includes/class-pos-bridge-install.php file in all versions up to, and including, 2.4.2.1 This makes it possible for authenticated attackers, with subscriber-level access and above, to perform several unauthorized actions like deactivating the plugin, disconnecting the subscription, syncing the status and more.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-0702 affects the Oliver POS WooCommerce Point of Sale plugin for WordPress, where missing capability checks on AJAX functions in includes/class-pos-bridge-install.php allow authenticated users with minimal privileges (subscriber-level and above) to execute unauthorized actions. These actions include deactivating the plugin, disconnecting subscriptions, and syncing status. The vulnerability is categorized under CWE-862 (Missing Authorization) and has a CVSS 3.1 base score of 7.3, reflecting a high severity due to network attack vector, low attack complexity, and impact on confidentiality, integrity, and availability. No patch or official remediation guidance is currently available from the vendor, and no exploits are known in the wild.
Potential Impact
An attacker with subscriber-level or higher access can perform unauthorized administrative actions on the Oliver POS plugin, potentially disrupting point of sale operations by deactivating the plugin or disconnecting subscriptions. This could lead to loss of service availability and integrity of the POS system. Confidentiality impact is limited but present due to unauthorized access to certain plugin functions. The overall impact is rated high based on the CVSS score.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict user roles to trusted individuals only and monitor for suspicious activity related to the plugin. Avoid granting subscriber or higher privileges to untrusted users. Do not rely on the plugin's current authorization checks for security.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-01-18T20:44:00.792Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6de3b7ef31ef0b59033d
Added to database: 2/25/2026, 9:47:15 PM
Last enriched: 4/9/2026, 5:39:34 AM
Last updated: 4/12/2026, 5:12:09 PM
Views: 20
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.