Authorization Bypass Vulnerability in Oliver POS Plugin for WooCommerce by WordPress
CVE-2026-6072

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Oliver Pos – A WooCommerce Point Of Sale (pos)
Vendor: CVE Published:; 20 May 2026

What is CVE-2026-6072?

The Oliver POS plugin for WooCommerce has a significant vulnerability that allows an unauthenticated attacker to bypass authorization through a user-controlled header. This issue arises from a loose PHP comparison used in the permission callback for the POS API, specifically ‘oliver_pos_rest_authentication()’. When the authorization token is not set during the initial setup of the plugin, it allows a malicious user to utilize a value of '0' for the 'OliverAuth' header, resulting in a successful authentication bypass. Once inside, attackers can access sensitive user data, modify profiles, and even reset admin account emails, potentially leading to complete site takeovers.

Affected Version(s)

Oliver POS – A WooCommerce Point of Sale (POS) 0 <= 2.4.2.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/oliver-pos/tru...

https://plugins.trac.wordpress.org/browser/oliver-pos/tag...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 20, 2026
Vulnerability Reserved
Apr 10, 2026

Credit

Hunter Jensen

CVE-2026-6072 Data

JSON