CVE-2025-13339
published 2025-12-10CVE-2025-13339: The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.7.1 via the…
PriorityP262high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
2.06%
78.9th percentile
The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.7.1 via the template_redirect() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hippooo | hippoo_mobile_app_for_woocommerce | <= 1.7.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP GET requests containing the query parameter 'hippoo_serve' with directory traversal sequences (e.g., '../') targeting WordPress sites; unauthenticated requests with this parameter are the attack vector. ↗
- →Alert on HTTP 200 responses to requests with 'hippoo_serve' parameter whose body contains 'root:' with UID/GID 0:0 (indicating /etc/passwd read) or both 'DB_NAME' and 'DB_PASSWORD' strings (indicating wp-config.php exfiltration). ↗
- →Use Shodan/FOFA to identify exposed targets: Shodan query 'http.component:"WordPress"' combined with FOFA query 'body="hippoo"' to find instances of the vulnerable plugin. ↗
- →The vulnerability is triggered via the template_redirect() function hook; look for unauthenticated file-read activity originating from this WordPress action in server-side logs. ↗
- ·The plugin serves PWA files from the pwa/ directory; only versions up to and including 1.7.1 are vulnerable. Version 1.7.2 adds realpath() canonicalization and a strpos() prefix check to confine reads to pwa/. ↗
- ·Exploitation is fully unauthenticated (no WordPress session or credentials required), meaning any internet-facing WordPress site running the vulnerable plugin version is at risk without any authentication barrier. ↗
- ·Successful exfiltration of wp-config.php enables downstream attacks: database compromise and WordPress authentication cookie forgery leading to full site takeover. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Hippoo Mobile App for WooCommerce <= 1.7.1 - Unauthenticated Arbitrary File Read
nuclei·CVSS 7.5
CVE-2025-13339 [HIGH] Hippoo Mobile App for WooCommerce <= 1.7.1 - Unauthenticated Arbitrary File Read
Hippoo Mobile App for WooCommerce <= 1.7.1 - Unauthenticated Arbitrary File Read
The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to and including 1.7.1 via the template_redirect() function. The plugin registers 'hippoo_serve' as a WordPress query variable and uses it to serve PWA files from the pwa/ directory. In vulnerable versions, the user-supplied value is concatenated directly into a filesystem path without any sanitization or directory confinement check, then passed to readfile(). This allows unauthenticated attackers to read arbitrary files on the server by injecting directory traversal sequences (../).
Template:
id: CVE-2025-13339
info:
name: Hippoo Mobile App for WooCommerce <= 1.7.1 - Unauthenticated Arbitrary File
2025-12-10
Published