Cyber Posture

CVE-2024-13513

Critical

Published: 15 February 2025

Published
15 February 2025
Modified
25 February 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0015 34.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13513 is a critical-severity Missing Authorization (CWE-862) vulnerability in Oliverpos Oliver Pos. Its CVSS base score is 9.8 (Critical).

Operationally, ranked at the 34.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and AU-9 (Protection of Audit Information).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AU-9 Protection of Audit Information good match
prevent

AU-9 protects audit information and logging tools from unauthorized access, directly preventing unauthenticated attackers from extracting the sensitive clientToken from exposed log files.

SI-2 Flaw Remediation good match
prevent

SI-2 requires identification, reporting, and correction of system flaws like the plugin's improper logging of sensitive tokens, enabling patching to mitigate the vulnerability.

AU-13 Monitoring for Information Disclosure good match
detect

AU-13 monitors the system for information disclosures, detecting unauthorized access to log files containing the clientToken.

NVD Description

The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4.2.3 via the logging functionality. This makes it possible for unauthenticated attackers to extract…

more

sensitive data including the plugin's clientToken, which in turn can be used to change user account information including emails and account type. This allows attackers to then change account passwords resulting in a complete site takeover. Version 2.4.2.3 disabled logging but left sites with existing log files vulnerable.

Deeper analysisAI

CVE-2024-13513 is a sensitive information exposure vulnerability in the Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress, affecting all versions up to and including 2.4.2.3. The flaw arises from the plugin's logging functionality, which exposes sensitive data such as the plugin's clientToken.

Unauthenticated attackers can exploit this vulnerability by accessing the log files to extract the clientToken. Armed with this token, attackers can modify user account information, including emails and account types, and then change account passwords, enabling complete site takeover. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is linked to CWE-862.

Version 2.4.2.3 of the plugin disables logging as a mitigation measure, though sites retaining existing log files remain exposed. Additional details are available in the Wordfence threat intelligence report and the plugin's code repository changes on the WordPress Trac, including the relevant code location in class-pos-bridge-user.php and changeset updates.

Details

CWE(s)
CWE-862

Affected Products

oliverpos
oliver pos
≤ 2.4.2.4

CVEs Like This One

CVE-2024-12365Shared CWE-862
CVE-2025-67974Shared CWE-862
CVE-2025-65669Shared CWE-862
CVE-2026-28254Shared CWE-862
CVE-2025-48574Shared CWE-862
CVE-2026-3266Shared CWE-862
CVE-2025-69297Shared CWE-862
CVE-2025-69186Shared CWE-862
CVE-2026-25456Shared CWE-862
CVE-2024-12810Shared CWE-862

References