CVE-2026-10580
Deferred Deferred - Pending Action
Authentication Bypass in Hippoo Mobile App for WooCommerce

Publication date: 2026-06-05

Last updated on: 2026-06-05

Assigner: Wordfence

Description
The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up to and including 1.9.4. This is due to a logic conflation in HippooPermissions::get_user_permissions(), which returns the same null sentinel for both administrators and unauthenticated visitors β€” a value that HippooPermissions::has_role_access() unconditionally interprets as full administrator access β€” causing override_extension_permission_callback() to assign __return_true as the permission callback for every WordPress and WooCommerce REST route cloned under /wc-hippoo/v1/ext/ by HippooControllerWithAuth::re_register_external_routes(), while the block_unauthorized_access() pre-dispatch guard fails to block unauthenticated users for the same reason. This makes it possible for unauthenticated attackers to invoke any core REST endpoint without credentials β€” most critically, sending a POST request to /wc-hippoo/v1/ext/wp/v2/users/<id> with a {"password":"<new_password>"} body to reset the password of any WordPress user, including the site administrator, and gain full administrative control of the site.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-05
Last Modified
2026-06-05
Generated
2026-06-06
AI Q&A
2026-06-05
EPSS Evaluated
N/A
NVD
CVE-2026-10580
EUVD
EUVD-2026-34887
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hippoo mobile_app_for_woocommerce to 1.9.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The Hippoo Mobile App for WooCommerce plugin for WordPress has a vulnerability that allows unauthenticated attackers to bypass authentication and take over administrator accounts. This happens because the plugin's permission system mistakenly treats unauthenticated visitors as administrators due to a logic error in how user permissions are checked. As a result, attackers can access any WordPress and WooCommerce REST API endpoints without credentials.

Specifically, attackers can send a POST request to reset the password of any WordPress user, including administrators, thereby gaining full administrative control of the site.


How can this vulnerability impact me? :

This vulnerability can have severe impacts as it allows attackers to gain full administrative control over a WordPress site running the affected plugin versions. An attacker can reset any user's password, including the administrator's, without authentication.

With administrative access, attackers can modify site content, install malicious plugins or themes, steal sensitive data, disrupt site operations, or use the compromised site as a platform for further attacks.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart