CVE-2024-0702

Name of the Vulnerable Software and Affected Versions The Oliver POS versions up to, and including, 2.4.1.8

Description The issue is related to missing capability checks on several functions hooked via AJAX in the includes/class-pos-bridge-install.php file. This allows authenticated attackers with subscriber-level access and above to perform unauthorized actions, such as deactivating the plugin, disconnecting the subscription, and syncing the status.

Recommendations For versions up to, and including, 2.4.1.8, consider disabling the affected functions hooked via AJAX in the includes/class-pos-bridge-install.php file as a temporary workaround until a patch is available. Restrict access to the class-pos-bridge-install.php file to minimize the risk of exploitation. Avoid using the affected AJAX endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.