What is the CVSS score of CVE-2026-49065?

CVE-2026-49065 has a CVSS 3.1 base score of 8.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N. EPSS exploitation probability: 0.2%.

Which versions of Hippoo Mobile App for WooCommerce are affected by CVE-2026-49065?

The Hippoo Mobile App for WooCommerce plugin (versions 1.9.5 and earlier) contains an unauthenticated broken access control vulnerability that allows attackers to bypass authentication and access…

How to fix or mitigate CVE-2026-49065?

24 hours: Audit all WordPress instances for Hippoo Mobile App v1.9.5 or earlier deployment. 7 days: Implement interim controls-disable or deactivate the plugin, configure Web Application Firewall rules to block unauthenticated plugin endpoints, and enable comprehensive access logging on WooCommerce administrative and API routes. 30 days: Monitor Patchstack security advisories and vendor communications for patch release; evaluate plugin replacement or alternative vendor solutions if patch is not made available within 30 days.

Hippoo Mobile App for WooCommerce CVE-2026-49065

EUVD-2026-36872 HIGH

Missing Authorization (CWE-862)

2026-06-15 Patchstack

GHSA-592f-74mm-m922

Authentication Bypass WordPress Hippoo Mobile App For Woocommerce

8.2

CVSS 3.1 · Vendor: Patchstack

Severity by source

Vendor (Patchstack) PRIMARY

8.2 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

vuln.today AI

8.2 HIGH

Network-reachable WordPress plugin endpoint with missing authorization (PR:N, AC:L); high confidentiality exposure, limited integrity impact, no availability effect per description.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Jun 15, 2026 - 21:39 vuln.today

CVE Published

Jun 15, 2026 - 20:19 cve.org

HIGH 8.2

DescriptionCVE.org

Unauthenticated Broken Access Control in Hippoo Mobile App for WooCommerce <= 1.9.5 versions.

AnalysisAI

Unauthenticated broken access control in the Hippoo Mobile App for WooCommerce WordPress plugin (versions 1.9.5 and earlier) allows remote attackers to access protected functionality or data without valid credentials. The flaw is reported by Patchstack and stems from missing authorization checks (CWE-862), enabling unauthenticated retrieval or manipulation of resources that should be gated behind authentication. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Fingerprint WordPress site running Hippoo plugin

Delivery

Identify exposed mobile-app endpoint

Exploit

Send unauthenticated HTTP request

Execution

Bypass missing authorization check

Impact

Exfiltrate protected WooCommerce data

Access

Fingerprint WordPress site running Hippoo plugin

Delivery

Identify exposed mobile-app endpoint

Exploit

Send unauthenticated HTTP request

Execution

Bypass missing authorization check

Impact

Exfiltrate protected WooCommerce data

Vulnerability AssessmentAI

Exploitation	No special conditions - remote unauthenticated exploitation against default configurations of the Hippoo Mobile App for WooCommerce plugin at versions ≤ 1.9.5 (CVSS AV:N/AC:L/PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Signals point to a real but bounded risk: the CVSS 3.1 base score of 8.2 reflects network-reachable, unauthenticated, low-complexity exploitation against confidentiality, which is the worst-case combination for prioritization. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	A remote attacker enumerates WordPress sites running the Hippoo Mobile App for WooCommerce plugin via wp-content/plugins fingerprints, then issues unauthenticated HTTP requests directly to the plugin's mobile-app REST or admin-ajax endpoints. Because the endpoints fail to verify authorization, the attacker retrieves protected WooCommerce data - for example customer order details or account information - without ever logging in. …
Remediation	No vendor-released patch identified at time of analysis from the supplied data; administrators should monitor the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/hippoo/vulnerability/wordpress-hippoo-mobile-app-for-woocommerce-plugin-1-9-5-broken-access-control-vulnerability for a fixed version above 1.9.5 and upgrade as soon as it is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit all WordPress instances for Hippoo Mobile App v1.9.5 or earlier deployment. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49060 CRITICAL Act Now

9.8 Jun 11

Privilege escalation in the Hippoo Mobile App for WooCommerce WordPress plugin (versions up to and including 1.9.4) allo

CVE-2026-49065 vulnerability details – vuln.today

Back

Hippoo Mobile App for WooCommerce CVE-2026-49065

Severity by source

CVSS VectorVendor: Patchstack

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code