Description
The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.7.1 via the template_redirect() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
Published: 2025-12-10
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Arbitrary File Read
Action: Patch Immediately
AI Analysis

Impact

The Hippoo Mobile App for WooCommerce plugin is susceptible to a path traversal flaw in all releases up to and including 1.7.1. The flaw lies within the template_redirect() function, enabling attackers who need not authenticate to obtain the contents of any file on the server. This can expose private configuration files, credentials, or other sensitive data, thereby compromising confidentiality and potentially allowing further exploitation.

Affected Systems

WordPress sites using the Hippooo Mobile App for WooCommerce plugin, specifically versions 1.7.1 and earlier. All installs of the plugin found in the WordPress plugin repository that match these versions are affected.

Risk and Exploitability

With a CVSS of 7.5 the vulnerability is classified as high severity, and the EPSS score of less than 1% indicates that exploitation is currently unlikely but still possible. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is likely a web request to a directed URL that triggers template_redirect; no authentication is required. Overall, the risk is moderate to high, especially for sites handling sensitive information.

Generated by OpenCVE AI on April 22, 2026 at 16:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Hippooo Mobile App for WooCommerce plugin to version 1.7.2 or later in order to eliminate the path traversal flaw.
  • If an update is not immediately possible, disable the plugin to prevent the vulnerability from being exploitable.
  • Implement file system permissions that restrict the web server’s access to irrelevant configuration files, thereby reducing the potential impact of a path traversal attempt.

Generated by OpenCVE AI on April 22, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Hippooo
Hippooo hippoo Mobile App For Woocommerce
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Hippooo
Hippooo hippoo Mobile App For Woocommerce
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Wed, 10 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Dec 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.7.1 via the template_redirect() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
Title Hippoo Mobile App for WooCommerce <= 1.7.1 - Unauthenticated Arbitrary File Read
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Hippooo Hippoo Mobile App For Woocommerce
Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:33:47.451Z

Reserved: 2025-11-17T22:04:06.883Z

Link: CVE-2025-13339

cve-icon Vulnrichment

Updated: 2025-12-10T15:22:14.644Z

cve-icon NVD

Status : Deferred

Published: 2025-12-10T05:16:02.200

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13339

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T16:30:22Z

Weaknesses