Description
The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up to and including 1.9.4. This is due to a logic conflation in HippooPermissions::get_user_permissions(), which returns the same null sentinel for both administrators and unauthenticated visitors — a value that HippooPermissions::has_role_access() unconditionally interprets as full administrator access — causing override_extension_permission_callback() to assign __return_true as the permission callback for every WordPress and WooCommerce REST route cloned under /wc-hippoo/v1/ext/ by HippooControllerWithAuth::re_register_external_routes(), while the block_unauthorized_access() pre-dispatch guard fails to block unauthenticated users for the same reason. This makes it possible for unauthenticated attackers to invoke any core REST endpoint without credentials — most critically, sending a POST request to /wc-hippoo/v1/ext/wp/v2/users/<id> with a {"password":"<new_password>"} body to reset the password of any WordPress user, including the site administrator, and gain full administrative control of the site.
Published: 2026-06-05
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

CWE-285: The Hippoo Mobile App for WooCommerce plugin contains a logic flaw where unauthenticated requests are incorrectly granted administrator privileges due to a null value being treated as both an admin and a guest. This flaw leads the plugin to assign a permissive callback to all REST routes exposed under /wc-hippoo/v1/ext/, allowing any unauthenticated visitor to execute privileged API actions. An attacker can exploit this by sending a POST request to /wc-hippoo/v1/ext/wp/v2/users/<id> with a JSON body that includes a new password, effectively resetting that user's password and acquiring full administrative control of the site.

Affected Systems

WordPress sites running Hippoo Mobile App for WooCommerce version 1.9.4 or earlier are affected, regardless of the underlying WordPress or WooCommerce version.

Risk and Exploitability

The vulnerability has a CVSS score of 9.8, indicating critical severity. The EPSS score is not available. The issue is not listed in the CISA KEV catalog. Attackers can exploit it by making unauthenticated REST API calls to the plugin's endpoints, permitting privilege escalation to administrator level.

Generated by OpenCVE AI on June 5, 2026 at 21:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Hippoo Mobile App for WooCommerce to a version newer than 1.9.4 once a fix is released.
  • If a patch is not yet available, restrict or block access to the /wc-hippoo/v1/ext/ REST routes for unauthenticated users, or block all WP REST API routes for unauthenticated users.
  • After applying a fix or implementing route restrictions, reset the passwords of all administrators and review site logs for anomalous activity.

Generated by OpenCVE AI on June 5, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Hippooo
Hippooo hippoo Mobile App For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Hippooo
Hippooo hippoo Mobile App For Woocommerce
Wordpress
Wordpress wordpress

Fri, 05 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up to and including 1.9.4. This is due to a logic conflation in HippooPermissions::get_user_permissions(), which returns the same null sentinel for both administrators and unauthenticated visitors — a value that HippooPermissions::has_role_access() unconditionally interprets as full administrator access — causing override_extension_permission_callback() to assign __return_true as the permission callback for every WordPress and WooCommerce REST route cloned under /wc-hippoo/v1/ext/ by HippooControllerWithAuth::re_register_external_routes(), while the block_unauthorized_access() pre-dispatch guard fails to block unauthenticated users for the same reason. This makes it possible for unauthenticated attackers to invoke any core REST endpoint without credentials — most critically, sending a POST request to /wc-hippoo/v1/ext/wp/v2/users/<id> with a {"password":"<new_password>"} body to reset the password of any WordPress user, including the site administrator, and gain full administrative control of the site.
Title Hippoo Mobile App for WooCommerce <= 1.9.4 - Unauthenticated Authentication Bypass to Administrator Account Takeover via REST API
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Hippooo Hippoo Mobile App For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-05T18:31:11.133Z

Reserved: 2026-06-01T17:52:09.019Z

Link: CVE-2026-10580

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-05T19:16:28.830

Modified: 2026-06-05T19:20:19.607

Link: CVE-2026-10580

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T22:00:06Z

Weaknesses