Description
The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to arbitrary file write via a missing authorization check in all versions up to, and including, 1.7.1. This is due to the REST API endpoint `/wp-json/hippoo/v1/wc/token/save_callback/{token_id}` being registered with `permission_callback => '__return_true'`, which allows unauthenticated access. This makes it possible for unauthenticated attackers to write arbitrary JSON content to the server's publicly accessible upload directory via the vulnerable endpoint.
Published: 2025-12-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated File Write
Action: Patch Immediately
AI Analysis

Impact

The Hippoo Mobile App for WooCommerce plugin is vulnerable because a REST API endpoint allows file write without any authentication. An attacker can submit arbitrary JSON payloads to the endpoint and have them stored in the site's public upload directory, potentially leading to malicious scripts or data being placed on the server. The flaw is a missing permission callback, classified as CWE-862, and can compromise confidentiality, integrity, or availability if the attacker injects code.

Affected Systems

All installations of the Hippoo Mobile App for WooCommerce plugin up to and including version 1.7.1 are affected. The vulnerability exists in the plugin’s REST API implementation and applies to any WordPress site running these versions.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation at the time of assessment. The vulnerability is not listed in CISA’s KEV catalog. An attacker can exploit the fault simply by accessing the unauthenticated REST endpoint, which requires network access to the site but no credentials. Successful exploitation would grant arbitrary file writes, which could in turn enable remote code execution or site defacement if the uploaded file is executed by the web server.

Generated by OpenCVE AI on April 21, 2026 at 00:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Hippoo Mobile App for WooCommerce plugin to version 1.7.2 or later, which removes the unauthenticated write endpoint.
  • If an update is not yet available, disable or remove the vulnerable REST endpoint so that only authenticated users can access it.
  • Restrict write permissions on the public uploads directory to limit the impact of any potential write attempts, and consider using access controls such as .htaccess rules to block executable uploads.

Generated by OpenCVE AI on April 21, 2026 at 00:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 14 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Hippooo
Hippooo hippoo Mobile App For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Hippooo
Hippooo hippoo Mobile App For Woocommerce
Wordpress
Wordpress wordpress

Fri, 12 Dec 2025 07:00:00 +0000

Type Values Removed Values Added
Description The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to arbitrary file write via a missing authorization check in all versions up to, and including, 1.7.1. This is due to the REST API endpoint `/wp-json/hippoo/v1/wc/token/save_callback/{token_id}` being registered with `permission_callback => '__return_true'`, which allows unauthenticated access. This makes it possible for unauthenticated attackers to write arbitrary JSON content to the server's publicly accessible upload directory via the vulnerable endpoint.
Title Hippoo Mobile App for WooCommerce <= 1.7.1 - Missing Authorization to Unauthenticated Limited File Write
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Hippooo Hippoo Mobile App For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:25:33.371Z

Reserved: 2025-11-03T20:38:38.858Z

Link: CVE-2025-12655

cve-icon Vulnrichment

Updated: 2025-12-12T20:32:36.948Z

cve-icon NVD

Status : Deferred

Published: 2025-12-12T07:15:44.180

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12655

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T01:00:12Z

Weaknesses