cbcvebase.
CVE-2025-13339
published 2025-12-10

CVE-2025-13339: The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.7.1 via the…

PriorityP262high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
2.06%
78.9th percentile
The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.7.1 via the template_redirect() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.

Affected

1 ranges
VendorProductVersion rangeFixed in
hippooohippoo_mobile_app_for_woocommerce<= 1.7.1

Detection & IOCsextracted from sources · hover to see the quote

url/?hippoo_serve=../../../../../../../etc/passwd
url/?hippoo_serve=../../../../wp-config.php
  • Monitor HTTP GET requests containing the query parameter 'hippoo_serve' with directory traversal sequences (e.g., '../') targeting WordPress sites; unauthenticated requests with this parameter are the attack vector.
  • Alert on HTTP 200 responses to requests with 'hippoo_serve' parameter whose body contains 'root:' with UID/GID 0:0 (indicating /etc/passwd read) or both 'DB_NAME' and 'DB_PASSWORD' strings (indicating wp-config.php exfiltration).
  • Use Shodan/FOFA to identify exposed targets: Shodan query 'http.component:"WordPress"' combined with FOFA query 'body="hippoo"' to find instances of the vulnerable plugin.
  • The vulnerability is triggered via the template_redirect() function hook; look for unauthenticated file-read activity originating from this WordPress action in server-side logs.
  • ·The plugin serves PWA files from the pwa/ directory; only versions up to and including 1.7.1 are vulnerable. Version 1.7.2 adds realpath() canonicalization and a strpos() prefix check to confine reads to pwa/.
  • ·Exploitation is fully unauthenticated (no WordPress session or credentials required), meaning any internet-facing WordPress site running the vulnerable plugin version is at risk without any authentication barrier.
  • ·Successful exfiltration of wp-config.php enables downstream attacks: database compromise and WordPress authentication cookie forgery leading to full site takeover.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.