CVE-2026-10580

The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up to and including 1.9.4. This is due to a logic conflation in HippooPermissions::getuserpermissions, which returns the same null sentinel f...

EUVD-2026-34887

The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up to and including 1.9.4. This is due to a logic conflation in HippooPermissions::getuserpermissions, which returns the same null sentinel f...

CVE-2026-10580

The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up to and including 1.9.4. This is due to a logic conflation in HippooPermissions::getuserpermissions, which returns the same null sentinel f...

EUVD-2025-203057

The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to arbitrary file write via a missing authorization check in all versions up to, and including, 1.7.1. This is due to the REST API endpoint /wp-json/hippoo/v1/wc/token/savecallback/tokenid being registered with...

CVE-2025-12655

CVE-2025-12655 corresponds to the Hippoo Mobile App for WooCommerce WordPress plugin. The initial records and a Wordfence post confirm a vulnerability in all versions up to 1.7.1 caused by a REST API endpoint (/wp-json/hippoo/v1/wc/token/save_callback/{token_id}) registered with a permissive perm...

PT-2025-50890

The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to arbitrary file write via a missing authorization check in all versions up to, and including, 1.7.1. This is due to the REST API endpoint /wp-json/hippoo/v1/wc/token/save callback/token id being registered with permission...

WordPress Hippoo Mobile App for WooCommerce plugin <= 1.7.1 - Unauthenticated Arbitrary File Read vulnerability

Unauthenticated Arbitrary File Read vulnerability discovered by Moose Love - Nagasaki Prefectural University in WordPress Plugin Hippoo Mobile App for WooCommerce versions = 1.7.1...

CVE-2025-13339

The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.7.1 via the templateredirect function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain...

PT-2025-50304

Name of the Vulnerable Software and Affected Versions Hippoo Mobile App for WooCommerce plugin for WordPress versions up to and including 1.7.1 Description The Hippoo Mobile App for WooCommerce plugin for WordPress contains a flaw that allows unauthorized access to server files. This is due to a...