CVE-2024-13513

Name of the Vulnerable Software and Affected Versions Oliver POS versions up to, and including, 2.4.2.3

Description The issue allows unauthenticated attackers to extract sensitive data, including the plugin's clientToken, via the logging functionality. This can be used to change user account information, such as emails and account type, and subsequently change account passwords, resulting in a complete site takeover.

Recommendations For versions up to, and including, 2.4.2.3, consider disabling the logging functionality as a temporary workaround until a patch is available. Restrict access to existing log files to minimize the risk of exploitation. Update to a version that fixes the logging functionality and removes any existing vulnerable log files. At the moment, there is no information about a newer version that contains a fix for this vulnerability.