CVE-2026-6072 MEDIUM

CVE-2026-6072: Oliver POS <= 2.4.2.6 - Unauthenticated Authorization Bypass Through User-Controlled Key to 'OliverAuth' Header

Vendor Oliverpos
Product Oliver POS – A WooCommerce Point of Sale (POS)
Weakness CWE-639 · IDOR
Published May 20, 2026
Last update May 20, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

What the vulnerability does

01Description

The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.4.2.6. The plugin protects its entire /wp-json/pos-bridge/* REST API namespace through the oliver_pos_rest_authentication() permission callback, which uses a loose PHP comparison (==) to compare the attacker-supplied 'OliverAuth' header value against the 'oliver_pos_authorization_token' option. On fresh installations where the admin has not yet completed the connection flow, this option is unset (get_option returns false). Due to PHP's type juggling, the loose comparison '0' == false evaluates to true, allowing an unauthenticated attacker to bypass authentication by sending 'OliverAuth: 0'. This grants full access to all POS API endpoints, enabling attackers to read user data (including administrator details), update user profiles (including email addresses), and delete non-admin users. An admin account email reset can lead to site takeover.

Explanation of Vulnerability in Simple Terms

02Summary

Oliver POS for WooCommerce contains an authorization flaw affecting versions up to 2.4.2.6. An attacker on the network can read sensitive data without authentication, though exploitation requires specific conditions. The vulnerability has limited integrity impact. Site owners should update to a version newer than 2.4.2.6 when available.

What an attacker can do

03Attacker Capabilities

Read sensitive data from the POS system without logging in.

Potential impact on your site

04Site Impact

Customer or transaction data may be exposed if the site runs an affected Oliver POS version.

Conditions required to exploit

05Prerequisites

Network access; specific conditions must be met (attack complexity is high).

Key dates

06Disclosure timeline

May 20, 2026 CVE published
May 20, 2026 Record updated

Related vulnerabilities

08Related CVE