Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total3
Critical1
High1
Medium1
Reset
Showing 1-3 of 3 records
Threat Entry Updated 2026-06-05

CVE-2026-10580 - Hippoo Mobile App For Woocommerce Plugin

The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up to and including 1.9.4. This is due to a logic conflation in HippooPermissions::get_user_permissions(), which returns the same null sentinel for both administrators and unauthenticated visitors — a value that HippooPermissions::has_role_access() unconditionally interprets as full administrator access — causing override_extension_permission_callback() to assign __return_true as the permission callback for every WordPress and WooCommerce REST route cloned under /wc-hippoo/v1/ext/ by HippooControllerWithAuth::re_register_external_routes(), while the block_unauthorized_access() pre-dispatch guard fails to block unauthenticated…

PLUGIN Hippoo Mobile App For Woocommerce

CVE-2026-10580

CRITICAL CVSS 9.8 2026-06-05
Open Full Technical Breakdown
Threat Entry Updated 2025-12-12

CVE-2025-12655 - Hippoo Mobile App For Woocommerce Plugin

The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to arbitrary file write via a missing authorization check in all versions up to, and including, 1.7.1. This is due to the REST API endpoint `/wp-json/hippoo/v1/wc/token/save_callback/{token_id}` being registered with `permission_callback => '__return_true'`, which allows unauthenticated access. This makes it possible for unauthenticated attackers to write arbitrary JSON content to the server's publicly accessible upload directory via the vulnerable endpoint.

PLUGIN Hippoo Mobile App For Woocommerce

CVE-2025-12655

MEDIUM CVSS 5.3 2025-12-12
Open Full Technical Breakdown
Threat Entry Updated 2025-12-12

CVE-2025-13339 - Hippoo Mobile App For Woocommerce Plugin

The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.7.1 via the template_redirect() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.

PLUGIN Hippoo Mobile App For Woocommerce

CVE-2025-13339

HIGH CVSS 7.5 2025-12-10
Open Full Technical Breakdown
Scroll to top