CVE-2024-13513 is a critical missing authorization vulnerability (CWE-862) in the Oliver POS plugin for WooCommerce on WordPress, present in all versions up to and including 2.4.2.3. The vulnerability stems from the plugin's logging mechanism, which inadvertently exposes sensitive data such as the clientToken to unauthenticated attackers. This clientToken is a sensitive credential that enables attackers to manipulate user account information, including changing email addresses and account types. By exploiting this, attackers can reset user passwords and gain full administrative control over the WordPress site, effectively resulting in a complete site takeover. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network. Although the vendor disabled logging in version 2.4.2.3, sites with pre-existing log files remain vulnerable unless those files are deleted or secured. The CVSS v3.1 base score of 9.8 reflects the high impact on confidentiality, integrity, and availability, combined with the ease of exploitation. No known public exploits have been reported yet, but the severity and nature of the flaw make it a critical risk for affected installations.

The impact of CVE-2024-13513 is severe for organizations using the Oliver POS WooCommerce plugin. Exploitation allows attackers to bypass authentication controls and extract sensitive tokens, enabling them to alter user accounts and reset passwords. This leads to complete site takeover, which can result in data breaches, unauthorized transactions, loss of customer trust, and potential financial fraud. Since WooCommerce is widely used for e-commerce, compromised sites may face significant operational disruption, reputational damage, and regulatory consequences. The vulnerability also threatens the confidentiality of customer data and the integrity of sales and inventory records. Organizations that have not removed or secured legacy log files remain at risk even if they have updated to the latest plugin version. The ease of remote exploitation without credentials or user interaction increases the likelihood of automated attacks and widespread compromise.

To mitigate CVE-2024-13513, organizations should immediately audit their WordPress sites using the Oliver POS plugin to identify and securely delete any existing log files that contain sensitive clientTokens. Updating the plugin to the latest version (post-2.4.2.3) is essential, as logging has been disabled to prevent further exposure. However, updating alone is insufficient without removing legacy logs. Implement strict file permissions on the WordPress installation to restrict access to sensitive files and directories. Employ web application firewalls (WAFs) to detect and block suspicious requests targeting the plugin endpoints. Monitor logs for unusual activity related to user account changes or password resets. Additionally, enforce multi-factor authentication (MFA) for administrative accounts to reduce the risk of account takeover. Regularly review and limit plugin usage to only trusted and actively maintained extensions. Finally, conduct security awareness training for administrators to recognize and respond to potential exploitation attempts.