Lucene search

WordfenceVULNRICHMENT:CVE-2024-1954

HistoryFeb 28, 2024 - 8:33 a.m.

CVE-2024-1954

2024-02-2808:33:10

Wordfence

github.com

oliver pos

woocommerce

cross-site request forgery

wordpress

nonce validation

unauthorized actions

site administrator

CVSS3

6.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

AI Score

6.7

Confidence

Low

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.1.8. This is due to missing or incorrect nonce validation in the includes/class-pos-bridge-install.php file. This makes it possible for unauthenticated attackers to perform several unauthorized actions like deactivating the plugin, disconnecting the subscription, syncing the status and more via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

References

plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3035108%40oliver-pos&new=3035108%40oliver-pos&sfp_email=&sfph_mail=

www.wordfence.com/threat-intel/vulnerabilities/id/88d16ce2-a1cf-4402-b140-3cab17f8c638?source=cve