CVE-2026-6072— Oliver POS <= 2.4.2.6 - Unauthenticated Authorization Bypass Through User-Controlled Key to 'OliverAuth' Header
Possible ATT&CK Techniques 3AI
T1136 · Create Account T1078 · Valid Accounts T1190 · Exploit Public-Facing ApplicationAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| oliverpos | Oliver POS – A WooCommerce Point of Sale (POS) | ≤ 2.4.2.6 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-6072
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Oliver POS <= 2.4.2.6 - Unauthenticated Authorization Bypass Through User-Controlled Key to 'OliverAuth' Header
Source: NVD (National Vulnerability Database)
Vulnerability Description
The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.4.2.6. The plugin protects its entire /wp-json/pos-bridge/* REST API namespace through the oliver_pos_rest_authentication() permission callback, which uses a loose PHP comparison (==) to compare the attacker-supplied 'OliverAuth' header value against the 'oliver_pos_authorization_token' option. On fresh installations where the admin has not yet completed the connection flow, this option is unset (get_option returns false). Due to PHP's type juggling, the loose comparison '0' == false evaluates to true, allowing an unauthenticated attacker to bypass authentication by sending 'OliverAuth: 0'. This grants full access to all POS API endpoints, enabling attackers to read user data (including administrator details), update user profiles (including email addresses), and delete non-admin users. An admin account email reset can lead to site takeover.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过用户控制密钥绕过授权机制
Source: NVD (National Vulnerability Database)
Vulnerability Title
WordPress plugin Oliver POS 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台具有在基于PHP和MySQL的服务器上架设个人博客网站的功能。WordPress plugin是一个应用插件。 WordPress plugin Oliver POS 2.4.2.6及之前版本存在安全漏洞,该漏洞源于通过用户控制密钥绕过授权,可能导致未经身份验证的攻击者绕过身份验证并完全访问POS API端点,读取用户数据、更新用户资料和删除非管理员用户。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| oliverpos | Oliver POS – A WooCommerce Point of Sale (POS) | 0 ~ 2.4.2.6 | - |
II. Public POCs for CVE-2026-6072
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-6072
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-6072 (7)
Vendor Advisories for CVE-2026-6072 (1)
IV. Related Vulnerabilities
Same weakness: CWE-639
- CVE-2026-40127
Authorization Bypass Through User-Controlled Key in OutSyste - CVE-2026-9306
QuantumNous new-api Midjourney Image Relay Endpoint relay-ro - CVE-2026-35430
Azure Privileged Identity Management (PIM) Elevation of Priv - CVE-2026-39967
TypeBot: Cross-Typebot Result Data Access via Missing typebo - CVE-2026-28444
Typebot: IDOR in Result Logs Endpoint Allows Cross-Workspace
V. Comments for CVE-2026-6072
No comments yet