CVE-2025-13339
BaseFortify
Publication date: 2025-12-10
Last updated on: 2025-12-10
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hippoo | woocommerce_plugin | 1.7.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Hippoo Mobile App for WooCommerce plugin for WordPress has a Path Traversal vulnerability in versions up to and including 1.7.1. This vulnerability exists in the template_redirect() function and allows unauthenticated attackers to read arbitrary files on the server by manipulating file paths.
How can this vulnerability impact me? :
This vulnerability can allow attackers to access sensitive information stored in files on the server without authentication. This could lead to exposure of confidential data, potentially compromising the security and privacy of the affected system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to read arbitrary files on the server, which can include sensitive information. This unauthorized access to sensitive data could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access. The security update addresses this by preventing path traversal and securing file access, thereby helping to maintain compliance with such standards. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability, you can check if your WordPress installation is running the Hippoo Mobile App for WooCommerce plugin version 1.7.1 or earlier, as these versions are vulnerable. Additionally, you can monitor HTTP requests for suspicious path traversal attempts targeting the template_redirect() function, such as requests containing '../' sequences or attempts to access arbitrary files via the PWA route. Commands to help detect this include using web server logs analysis tools or command-line searches like: 1) grep -r "template_redirect" /path/to/wordpress/wp-content/plugins/hippoo-woocommerce_plugin/ 2) grep -E "\.\./|%2e%2e" /var/log/apache2/access.log 3) Using curl or wget to test for path traversal, e.g., curl -v "http://yourdomain.com/pwa/../../../../etc/passwd" and checking for file content leakage. These methods help identify if the vulnerable plugin version is present and if exploitation attempts are occurring. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Hippoo Mobile App for WooCommerce plugin to version 1.7.2 or later, which contains the security patch fixing the path traversal vulnerability. This update hardens URL rewrite rules, enforces strict file path validation using realpath(), and improves REST API token handling to prevent unauthorized file access and token misuse. If updating immediately is not possible, consider disabling the plugin temporarily to prevent exploitation. Additionally, review and restrict access to the PWA directory and monitor logs for suspicious activity until the patch is applied. [1]