[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f6yEC-W9NczcK_y3q9lC2yLj10xG5eo94EVw1lO2nBJ8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-6072","oliver-pos-unauthenticated-authorization-bypass-through-user-controlled-key-to-oliverauth-header","Oliver POS \u003C= 2.4.2.6 - Unauthenticated Authorization Bypass Through User-Controlled Key to 'OliverAuth' Header","The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.4.2.6. The plugin protects its entire \u002Fwp-json\u002Fpos-bridge\u002F* REST API namespace through the oliver_pos_rest_authentication() permission callback, which uses a loose PHP comparison (==) to compare the attacker-supplied 'OliverAuth' header value against the 'oliver_pos_authorization_token' option. On fresh installations where the admin has not yet completed the connection flow, this option is unset (get_option returns false). Due to PHP's type juggling, the loose comparison '0' == false evaluates to true, allowing an unauthenticated attacker to bypass authentication by sending 'OliverAuth: 0'. This grants full access to all POS API endpoints, enabling attackers to read user data (including administrator details), update user profiles (including email addresses), and delete non-admin users. An admin account email reset can lead to site takeover.","oliver-pos",null,"\u003C=2.4.2.6","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:L\u002FA:N","Authorization Bypass Through User-Controlled Key","2026-05-19 12:03:04","2026-05-20 01:25:54",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fca6aa922-9c58-445c-b88a-3d1d1c95102c?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-6072 (Oliver POS Authorization Bypass)\n\n## 1. Vulnerability Summary\nThe **Oliver POS** plugin for WordPress (versions \u003C= 2.4.2.6) contains an authorization bypass vulnerability within its custom REST API bridge. The vulnerability resides in the `oliver_pos_rest_authentication()` function, which serves as the `permission_callback` for all endpoints under the `\u002Fwp-json\u002Fpos-bridge\u002F` namespace. \n\nThe function compares the client-provided `OliverAuth` HTTP header against the WordPress option `oliver_pos_authorization_token` using a loose PHP comparison operator (`==`). On new or unconfigured installations, this option is unset, causing `get_option()` to return `false`. Due to PHP type juggling, the string value `\"0\"` provided in the `OliverAuth` header is considered equal to `false` (`\"0\" == false` evaluates to `true`), granting unauthenticated access to sensitive API endpoints.\n\n## 2. Attack Vector Analysis\n*   **Target Endpoint:** Any endpoint under the `\u002Fwp-json\u002Fpos-bridge\u002F` namespace (e.g., `\u002Fwp-json\u002Fpos-bridge\u002Fv1\u002Fusers` (inferred)).\n*   **Vulnerable Parameter:** `OliverAuth` HTTP Header.\n*   **Payload:** `0`\n*   **Authentication Level:** Unauthenticated.\n*   **Precondition:** The plugin must be installed but not yet fully \"connected\" or configured (so the `oliver_pos_authorization_token` option remains unset).\n\n## 3. Code Flow\n1.  **Entry Point:** An HTTP request is made to a REST route registered by the plugin (e.g., `\u002Fwp-json\u002Fpos-bridge\u002Fv1\u002Fusers`).\n2.  **Hook:** The `rest_api_init` action triggers the registration of routes using `register_rest_route`.\n3.  **Registration:** The routes are defined with a `permission_callback` pointing to `oliver_pos_rest_authentication`.\n4.  **Vulnerable Function:** `oliver_pos_rest_authentication($request)` is executed.\n    *   It retrieves the header: `$auth_header = $request->get_header('OliverAuth');`\n    *   It retrieves the stored token: `$stored_token = get_option('oliver_pos_authorization_token');`\n    *   It performs the loose check: `if ($auth_header == $stored_token) { return true; }`\n5.  **Bypass:** If `$stored_token` is `false` (unset) and `$auth_header` is the string `\"0\"`, the check passes.\n6.  **Sink:** The core API logic for the requested endpoint executes, allowing data retrieval or modification.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability specifically targets the `pos-bridge` REST namespace. REST API endpoints that use custom authentication headers (like `OliverAuth`) and return `true` in their `permission_callback` typically do not require standard WordPress CSRF nonces (`_wpnonce`). Since the bypass occurs at the `permission_callback` level, no nonce is needed for exploitation.\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate unauthorized access to user data and potential account takeover by modifying an administrator's email.\n\n### Step 1: Information Leak (List Users)\nIdentify the administrative user ID and current details.\n*   **Tool:** `http_request`\n*   **Method:** `GET`\n*   **URL:** `\u002Fwp-json\u002Fpos-bridge\u002Fv1\u002Fusers` (inferred)\n*   **Headers:** `{\"OliverAuth\": \"0\"}`\n*   **Expected Response:** A JSON array of users including fields like `id`, `user_email`, and `roles`.\n\n### Step 2: Account Takeover (Update Admin Email)\nChange the email address of the administrator (typically ID 1) to an attacker-controlled address.\n*   **Tool:** `http_request`\n*   **Method:** `POST` (or `PUT`)\n*   **URL:** `\u002Fwp-json\u002Fpos-bridge\u002Fv1\u002Fusers\u002F1` (inferred)\n*   **Headers:** \n    *   `OliverAuth: 0`\n    *   `Content-Type: application\u002Fjson`\n*   **Body:** `{\"user_email\": \"attacker@example.com\"}` (inferred parameter name)\n*   **Expected Response:** JSON confirmation showing the updated email.\n\n## 6. Test Data Setup\n1.  **Plugin Installation:** Install and activate Oliver POS version 2.4.2.6.\n2.  **State Verification:** Ensure the plugin is **not** configured. Do not run the setup wizard or connect to an Oliver account.\n3.  **Target Content:** Ensure at least one administrator account exists (default WP behavior).\n\n## 7. Expected Results\n*   The `GET` request to the bridge API should return a `200 OK` status and a full list of site users, confirming the authentication bypass and data exposure.\n*   The `POST` request to update the user should return a `200 OK` status, confirming the bypass allows data modification.\n\n## 8. Verification Steps (Post-Exploit)\nConfirm the changes using WP-CLI:\n*   **Check User List:** `wp user list`\n*   **Check Specific User Meta:** `wp user get 1`\n*   **Check Option Status:** `wp option get oliver_pos_authorization_token` (Should return an error or empty string, confirming it was unset).\n\n## 9. Alternative Approaches\nIf `\u002Fv1\u002Fusers` is not the correct endpoint, explore other common REST endpoints registered by the plugin.\n*   **Discovery:** Use the standard WP REST index to find available bridge routes:\n    *   `GET \u002Fwp-json\u002Fpos-bridge\u002Fv1` (with `OliverAuth: 0`)\n*   **Alternative Targets:** \n    *   `\u002Fwp-json\u002Fpos-bridge\u002Fv1\u002Fsettings` (Check for sensitive POS configuration)\n    *   `\u002Fwp-json\u002Fpos-bridge\u002Fv1\u002Forders` (Check for WooCommerce order data exposure)","The Oliver POS plugin for WordPress is vulnerable to an authorization bypass because it uses a loose PHP comparison (==) to validate the 'OliverAuth' header. On unconfigured sites where the authorization token is unset (returning false), an attacker can supply a value of '0' to satisfy the check, gaining full access to the POS-bridge REST API.","\u002F\u002F Inferred from vulnerability description and research plan\n\nfunction oliver_pos_rest_authentication($request) {\n    $auth_header = $request->get_header('OliverAuth');\n    $stored_token = get_option('oliver_pos_authorization_token');\n\n    \u002F\u002F Vulnerable loose comparison: '0' == false evaluates to true\n    if ($auth_header == $stored_token) {\n        return true;\n    }\n    \n    return new WP_Error('rest_forbidden', __('You do not have permission to access this endpoint.'), array('status' => 401));\n}","--- a\u002Foliver-pos\u002Fincludes\u002Foliver-pos-functions.php\n+++ b\u002Foliver-pos\u002Fincludes\u002Foliver-pos-functions.php\n@@ -10,7 +10,7 @@\n function oliver_pos_rest_authentication($request) {\n     $auth_header = $request->get_header('OliverAuth');\n     $stored_token = get_option('oliver_pos_authorization_token');\n-    if ($auth_header == $stored_token) {\n+    if (!empty($stored_token) && $auth_header === $stored_token) {\n         return true;\n     }\n     return false;","To exploit this vulnerability, an attacker targets the plugin's custom REST API namespace. 1. Precondition: The plugin must be installed but not yet configured (the 'oliver_pos_authorization_token' option must be missing or false). 2. Identification: The attacker sends a GET request to '\u002Fwp-json\u002Fpos-bridge\u002Fv1\u002Fusers' with the HTTP header 'OliverAuth: 0'. 3. Access: Because '0' == false in PHP, the permission callback returns true, bypassing authentication. 4. Escalation: The attacker can then perform administrative actions, such as sending a POST request to update an administrator's email address to an attacker-controlled one, enabling a full site takeover via password reset.","gemini-3-flash-preview","2026-05-20 17:10:05","2026-05-20 17:10:42",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Foliver-pos\u002Ftags"]