Skip to main content

Hippoo Mobile App for WooCommerce CVE-2026-10580

| EUVD-2026-34887 CRITICAL
Improper Authorization (CWE-285)
2026-06-05 Wordfence GHSA-5xvj-rcr9-wm4h
Authentication Bypass WordPress Hippoo Mobile App For Woocommerce
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 05, 2026 - 19:23 vuln.today
CVE Published
Jun 05, 2026 - 18:31 nvd
CRITICAL 9.8

DescriptionCVE.org

The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up to and including 1.9.4. This is due to a logic conflation in HippooPermissions::get_user_permissions(), which returns the same null sentinel for both administrators and unauthenticated visitors - a value that HippooPermissions::has_role_access() unconditionally interprets as full administrator access - causing override_extension_permission_callback() to assign __return_true as the permission callback for every WordPress and WooCommerce REST route cloned under /wc-hippoo/v1/ext/ by HippooControllerWithAuth::re_register_external_routes(), while the block_unauthorized_access() pre-dispatch guard fails to block unauthenticated users for the same reason. This makes it possible for unauthenticated attackers to invoke any core REST endpoint without credentials - most critically, sending a POST request to /wc-hippoo/v1/ext/wp/v2/users/<id> with a {"password":"<new_password>"} body to reset the password of any WordPress user, including the site administrator, and gain full administrative control of the site.

Articles & Coverage 1

POC CVE-2026-10580: Hippoo WooCommerce Plugin Auth Bypass Enables Unauthenticated Admin Takeover Jun 06, 2026

AnalysisAI

Unauthenticated administrator account takeover in the Hippoo Mobile App for WooCommerce WordPress plugin (versions ≤ 1.9.4) allows remote attackers to reset any user's password - including the site administrator's - by sending a single crafted POST request to a cloned REST route. The root cause is a logic conflation in HippooPermissions::get_user_permissions() that returns the same null sentinel for both administrators and anonymous visitors, which is then interpreted as full admin access. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify WordPress site running Hippoo plugin
Delivery
Enumerate /wp-json/wc-hippoo/v1/ext/ namespace
Exploit
Send unauthenticated POST to /ext/wp/v2/users/1 with new password
Install
Permission callback __return_true accepts request
C2
Administrator password reset
Execute
Log in to wp-admin as administrator
Impact
Install malicious plugin for persistent RCE
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires only that the Hippoo Mobile App for WooCommerce plugin (versions ≤ 1.9.4) be installed and active on a network-reachable WordPress site - the vulnerable /wc-hippoo/v1/ext/ REST namespace is registered unconditionally by the plugin's bootstrap, so no special plugin configuration, premium tier, or mobile-app pairing is needed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals point to high real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker scans the internet for WordPress sites exposing /wp-json/wc-hippoo/v1/ext/, identifies user ID 1 (typically the original administrator), and sends a single unauthenticated POST request to /wp-json/wc-hippoo/v1/ext/wp/v2/users/1 with a JSON body of {"password":"attacker-chosen"}. The server accepts the request because the cloned route's permission callback is __return_true, resets the administrator's password, and the attacker logs into /wp-admin with full site control - typically followed by uploading a malicious plugin or theme for persistent backdoor access. …
Remediation Upstream fix available (commit/changeset 3557733 at https://plugins.trac.wordpress.org/changeset/3557733/hippoo); a released patched version above 1.9.4 is not independently confirmed in the supplied data, so administrators should update to the latest available release in the WordPress plugin directory and verify the installed version is greater than 1.9.4. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Disable the Hippoo Mobile App for WooCommerce plugin on all systems running versions ≤ 1.9.4, or implement WAF/firewall rules to block REST API access to the vulnerable endpoints. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49060 CRITICAL
9.8 Jun 11

Privilege escalation in the Hippoo Mobile App for WooCommerce WordPress plugin (versions up to and including 1.9.4) allo
CVE-2026-49065 HIGH
8.2 Jun 15

Unauthenticated broken access control in the Hippoo Mobile App for WooCommerce WordPress plugin (versions 1.9.5 and earl

Share

CVE-2026-10580 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy