PatchSiren cyber security CVE debrief
CVE-2026-6072 oliverpos CVE debrief
CVE-2026-6072 documents an authorization bypass vulnerability in the Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress, affecting all versions up to and including 2.4.2.6. The vulnerability stems from a loose PHP comparison (==) in the oliver_pos_rest_authentication() permission callback, which validates the 'OliverAuth' header against the 'oliver_pos_authorization_token' option. On fresh installations where this option is unset (returning false), PHP's type juggling causes the comparison '0' == false to evaluate as true, permitting unauthenticated attackers to bypass authentication by supplying 'OliverAuth: 0'. Successful exploitation grants full access to the /wp-json/pos-bridge/* REST API namespace, enabling attackers to read user data including administrator details, modify user profiles including email addresses, and delete non-admin users. An attacker who changes an administrator's email address can subsequently initiate a password reset to achieve site takeover. The CVSS 3.1 score of 6.5 (Medium) reflects the high attack complexity requirement—fresh, unconfigured installations—and the significant confidentiality impact balanced against lower integrity impact and no direct availability impact. The vulnerability was published to NVD on 2026-05-20 with a deferred status, indicating pending analysis or vendor coordination.
- Vendor
- oliverpos
- Product
- Oliver POS – A WooCommerce Point of Sale (POS)
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-20
Who should care
WordPress site administrators using Oliver POS plugin, especially those with fresh or staging installations; security teams monitoring WooCommerce POS integrations; managed WordPress hosting providers
Technical summary
The Oliver POS plugin registers REST API endpoints under /wp-json/pos-bridge/* with permission callback oliver_pos_rest_authentication(). This callback retrieves the attacker-supplied 'OliverAuth' header and compares it against get_option('oliver_pos_authorization_token') using loose equality (==). When the option is unset on fresh installations, get_option returns false. PHP's type juggling rules evaluate '0' == false as true because the string '0' converts to integer 0, which equals false in loose comparison. This allows unauthenticated requests with header 'OliverAuth: 0' to pass authentication. The POS API exposes endpoints for user enumeration, profile modification, and user deletion, creating a chain to administrator account takeover through email address modification and subsequent password reset.
Defensive priority
high
Recommended defensive actions
- Upgrade Oliver POS plugin to a version beyond 2.4.2.6 once a patched release becomes available
- For fresh installations, complete the initial connection flow immediately to set the oliver_pos_authorization_token option, preventing the bypass condition
- Implement network-level restrictions on /wp-json/pos-bridge/* endpoints to trusted IP ranges where feasible
- Monitor WordPress audit logs for unauthorized access to POS API endpoints and unexpected user profile modifications
- Review administrator email addresses for unauthorized changes and verify password reset request legitimacy
Evidence notes
Vulnerability confirmed through WordPress plugin repository source code review. The authentication bypass is demonstrated in class-pos-bridge.php at lines 1677-1679 where the loose comparison occurs, with affected API endpoints for user operations located in class-pos-bridge-user.php. Both tagged release 2.4.2.6 and trunk versions contain the vulnerable code pattern.
Official resources
2026-05-20