CVE-2024-13513: Oliver POS – A WooCommerce Point of Sale (POS) <= 2.4.2.3 - Sensitive Information Exposure to Privilege Escalation

9.8 CVSS

Description

The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4.2.3 via the logging functionality. This makes it possible for unauthenticated attackers to extract sensitive data including the plugin's clientToken, which in turn can be used to change user account information including emails and account type. This allows attackers to then change account passwords resulting in a complete site takeover. Version 2.4.2.3 disabled logging but left sites with existing log files vulnerable.

Classification

CVE ID: CVE-2024-13513

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products

Vendor: oliverpos

Product: Oliver POS – A WooCommerce Point of Sale (POS)

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.06% (probability of being exploited)

EPSS Percentile: 30.61% (scored less or equal to compared to others)

EPSS Date: 2025-03-16 (when was this score calculated)

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/bf6b7d8d-fb13-4eb4-b0b4-d0a10ad2a21e?source=cve
https://plugins.trac.wordpress.org/browser/oliver-pos/trunk/includes/models/class-pos-bridge-user.php#L373
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3234731%40oliver-pos%2Ftrunk&old=3056051%40oliver-pos%2Ftrunk&sfp_email=&sfph_mail=

Timeline

2025-02-16 00:31:02 UTC
CVE

Oliver POS – A WooCommerce Point of Sale (POS) <= 2.4.2.3 - Sensitive Information Exposure to Privilege Escalation