CVE-2024-13513

CRITICAL

Oliver POS - Info Disclosure

Title source: llm

Description

The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4.2.3 via the logging functionality. This makes it possible for unauthenticated attackers to extract sensitive data including the plugin's clientToken, which in turn can be used to change user account information including emails and account type. This allows attackers to then change account passwords resulting in a complete site takeover. Version 2.4.2.3 disabled logging but left sites with existing log files vulnerable.

Exploits (2)

nomisec WORKING POC

by 0axz-tools · poc

https://github.com/0axz-tools/CVE-2024-13513.py

View Code ZIP pw:eip

nomisec WORKING POC

by KTN1990 · poc

https://github.com/KTN1990/CVE-2024-13513

View Code ZIP pw:eip

References (3)

[Product] https://plugins.trac.wordpress.org/browser/oliver-pos/trunk/includes/models/class-pos-bridge-user.php#L373

[Patch] https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3234731%40oliver-pos%2Ftrunk&old=3056051%40oliver-pos%2Ftrunk&sfp_email=&sfph_mail=

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/bf6b7d8d-fb13-4eb4-b0b4-d0a10ad2a21e?source=cve

Scores

CVSS v3 9.8

EPSS 0.0015

EPSS Percentile 34.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-862

Status published

Products (2)

oliverpos/oliver_pos < 2.4.2.4

oliverpos/Oliver POS – A WooCommerce Point of Sale (POS) < 2.4.2.3

Published Feb 15, 2025

Tracked Since Feb 18, 2026