cbcvebase.
CVE-2025-12655
published 2025-12-12

CVE-2025-12655: The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to arbitrary file write via a missing authorization check in all versions up to, and…

PriorityP336medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.24%
14.3th percentile
The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to arbitrary file write via a missing authorization check in all versions up to, and including, 1.7.1. This is due to the REST API endpoint `/wp-json/hippoo/v1/wc/token/save_callback/{token_id}` being registered with `permission_callback => '__return_true'`, which allows unauthenticated access. This makes it possible for unauthenticated attackers to write arbitrary JSON content to the server's publicly accessible upload directory via the vulnerable endpoint.

Affected

4 ranges
VendorProductVersion rangeFixed in
hippooohippoo_mobile_app_for_woocommerce<= 1.7.1
msrccbl_mariner_1.0_arm
msrccbl_mariner_1.0_x64
msrccm1_kernel_5.4.91-11_on_cbl_mariner_1.0

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vendor_msrc5.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.