The Hippoo Mobile App for WooCommerce plugin contains an Incorrect Privilege Assignment flaw (CWE‑266) that permits an attacker to elevate their privileges within a WordPress site. By exploiting the plugin’s privilege assignment logic, a user with access to the plugin’s functionality can gain higher-level rights, potentially including administrator privileges. This can compromise the confidentiality, integrity, and availability of the entire WordPress installation, as privileged users may modify or delete content, change site settings, install additional malware, or access sensitive data.

Affected installations of the Hippoo Mobile App for WooCommerce plugin up to and including version 1.9.4 are vulnerable. The flaw persists across all earlier releases, as no versioning information beyond the upper bound is provided. Site owners running the plugin in any WordPress environment should check their plugin version and upgrade if necessary.

The CVSS base score of 9.8 indicates critical severity. The EPSS score is currently not available, yet the vulnerability is not listed in the CISA KEV catalogue. The likely attack vector—based on the plugin nature—is that an authenticated user or a visitor who can interact with the plugin’s interface could trigger the flaw. Due to the high severity and the ease of privilege escalation, the risk to affected sites is substantial, and the vulnerability is considered exploitable by threat actors with moderate technical skill.