Hippooo Hippoo Mobile App For Woocommerce vulnerabilities
4 known vulnerabilities affecting hippooo/hippoo_mobile_app_for_woocommerce.
Total CVEs
4
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH2MEDIUM1
Vulnerabilities
Page 1 of 1
CVE-2026-10580P1CRITICALCVSS 9.8PoC≤ 1.9.42026-06-05
CVE-2026-10580 [CRITICAL] CWE-285 CVE-2026-10580: The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass le
The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up to and including 1.9.4. This is due to a logic conflation in HippooPermissions::get_user_permissions(), which returns the same null sentinel for both administrators and unauthenticated visit
nvd
CVE-2025-13339P2HIGHCVSS 7.5PoC≤ 1.7.12025-12-10
CVE-2025-13339 [HIGH] CWE-22 CVE-2025-13339: The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all ve
The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.7.1 via the template_redirect() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
nvd
CVE-2026-49065P3HIGHCVSS 8.2≥ n/a, ≤ 1.9.52026-06-15
CVE-2026-49065 [HIGH] CWE-862 CVE-2026-49065: Unauthenticated Broken Access Control in Hippoo Mobile App for WooCommerce <= 1.9.5 versions.
Unauthenticated Broken Access Control in Hippoo Mobile App for WooCommerce <= 1.9.5 versions.
nvd
CVE-2025-12655P3MEDIUMCVSS 5.3≤ 1.7.12025-12-12
CVE-2025-12655 [MEDIUM] CWE-862 CVE-2025-12655: The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to arbitrary file write via
The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to arbitrary file write via a missing authorization check in all versions up to, and including, 1.7.1. This is due to the REST API endpoint `/wp-json/hippoo/v1/wc/token/save_callback/{token_id}` being registered with `permission_callback => '__return_true'`, which allows unauth
nvd