CVE-2024-1954

2024-02-2809:15:43

Wordfence

web.nvd.nist.gov

115

oliver pos

woocommerce

point of sale

pos

wordpress

vulnerability

cross-site request forgery

csrf

nonce validation

unauthorized actions

CVSS3

6.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

AI Score

6.2

Confidence

High

EPSS

Percentile

9.0%

JSON

The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.1.8. This is due to missing or incorrect nonce validation in the includes/class-pos-bridge-install.php file. This makes it possible for unauthenticated attackers to perform several unauthorized actions like deactivating the plugin, disconnecting the subscription, syncing the status and more via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affected configurations

Vulners

Node

oliverposoliver_pos_–_a_woocommerce_point_of_sale_\(pos\)Range≤2.4.1.8wordpress

VendorProductVersionCPE
oliverposoliver_pos_–_a_woocommerce_point_of_sale_\(pos\)*cpe:2.3:a:oliverpos:oliver_pos_–_a_woocommerce_point_of_sale_\(pos\):*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
oliverpos	oliver_pos_–_a_woocommerce_point_of_sale_\(pos\)	*	cpe:2.3:a:oliverpos:oliver_pos_–_a_woocommerce_point_of_sale_\(pos\)::::::wordpress::*

CNA Affected

[
  {
    "vendor": "oliverpos",
    "product": "Oliver POS – A WooCommerce Point of Sale (POS)",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "2.4.1.8",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]