WP-Safety

Hippoo Auth Security & Risk Analysis

wordpress.org/plugins/hippoo-auth

Extend your WooCommerce Store API with secure authentication endpoints for social and manual login. Ideal for custom apps, headless themes, or fronten …

0 active installs v1.0.2 PHP 7.4+ WP 5.8+ Updated Jun 6, 2025
headless-woocommercejwtrest-apisocial-loginwoocommerce
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Hippoo Auth Safe to Use in 2026?

Generally Safe

Score 100/100

Hippoo Auth has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 10mo ago
Risk Assessment

The "hippoo-auth" v1.0.2 plugin exhibits a mixed security posture. On the positive side, the plugin demonstrates excellent practices regarding SQL queries and output escaping, with 100% of SQL queries using prepared statements and all output being properly escaped. There are no recorded vulnerabilities (CVEs) for this plugin, suggesting a generally stable and secure development history. The absence of dangerous functions, file operations, and any taint analysis findings further bolster this positive impression. However, a significant concern arises from the substantial attack surface exposed by its REST API routes. With 13 total routes and 7 lacking proper permission callbacks, these endpoints are potentially vulnerable to unauthorized access and manipulation. This lack of authentication on a notable portion of its entry points is a critical weakness that could be exploited by attackers to perform actions they are not permitted to do, even if the underlying functionality itself is secure.

Key Concerns

  • REST API routes without permission callbacks
Vulnerabilities
None known

Hippoo Auth Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

Hippoo Auth Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
0
10 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
3
Bundled Libraries
0

Output Escaping

100% escaped10 total outputs
Attack Surface
7 unprotected

Hippoo Auth Attack Surface

Entry Points13
Unprotected7

REST API Routes 13

GET/wp-json/hippoo-auth/v1ordersapp\web-api-auth.php:6
GET/wp-json/hippoo-auth/v1orders/(?P<order_id>\d+)app\web-api-auth.php:12
GET/wp-json/hippoo-auth/v1addressesapp\web-api-auth.php:18
PUT/wp-json/hippoo-auth/v1addressesapp\web-api-auth.php:24
GET/wp-json/hippoo-auth/v1settingsapp\web-api-auth.php:30
POST/wp-json/hippoo-auth/v1loginapp\web-api.php:6
POST/wp-json/hippoo-auth/v1signupapp\web-api.php:28
POST/wp-json/hippoo-auth/v1logoutapp\web-api.php:50
POST/wp-json/hippoo-auth/v1reset-password/requestapp\web-api.php:56
POST/wp-json/hippoo-auth/v1reset-password/confirmapp\web-api.php:70
POST/wp-json/hippoo-auth/v1social-loginapp\web-api.php:94
POST/wp-json/hippoo-auth/v1refresh-tokenapp\web-api.php:119
POST/wp-json/hippoo-auth/v1validate-tokenapp\web-api.php:135
WordPress Hooks 6
actionadmin_initapp\settings.php:5
actionadmin_menuapp\settings.php:6
actionadmin_menuapp\test.php:5
actionadmin_enqueue_scriptsapp\test.php:30
actionrest_api_initapp\web-api-auth.php:5
actionrest_api_initapp\web-api.php:5
Maintenance & Trust

Hippoo Auth Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedJun 6, 2025
PHP min version7.4
Downloads235

Community Trust

Rating100/100
Number of ratings1
Active installs0
Alternatives

Hippoo Auth Alternatives

CoCart JWT Authentication

CoCart JWT Authentication

cocart-jwt-authentication

A
100

JWT Authentication for CoCart API.

200 No CVEs
WooCommerce Legacy REST API

WooCommerce Legacy REST API

woocommerce-legacy-rest-api

A
92

The WooCommerce Legacy REST API, which is now part of WooCommerce itself but will be removed in WooCommerce 9.0.

400K No CVEs
JWT Authentication for WP REST API

JWT Authentication for WP REST API

jwt-authentication-for-wp-rest-api

A
100

Extends the WP REST API using JSON Web Tokens Authentication as an authentication method.

60K No CVEs
JWT Authentication for WP REST APIs

JWT Authentication for WP REST APIs

wp-rest-api-authentication

A
97

Secure and protect WordPress REST API from unauthorized access using JWT token, Basic Authentication, API Key, OAuth 2, or external token.

20K 2 CVEs
CoCart – Headless REST API for WooCommerce

CoCart – Headless REST API for WooCommerce

cart-rest-api-for-woocommerce

A
100

A developer-first REST API to decouple WooCommerce on the frontend to help build modern and scalable storefronts. Fast, secure, customizable, easy.

1K 1 CVE
Developer Profile

Hippoo Auth Developer Profile

hippoosupport

1 plugin · 0 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Hippoo Auth

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/hippoo-auth/assets/css/test.css/wp-content/plugins/hippoo-auth/assets/js/test.js
Script Paths
https://accounts.google.com/gsi/clienthttps://connect.facebook.net/en_US/sdk.jshttps://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js
Version Parameters
hippoo-auth/assets/css/test.css?ver=hippoo-auth/assets/js/test.js?ver=

HTML / DOM Fingerprints

CSS Classes
social-login-containersocial-btnuser-info
Data Attributes
id="google-login"id="facebook-login"id="apple-login"id="info-message"id="user-info"id="user-name"+2 more
JS Globals
hippooAuthConfig
REST Endpoints
/wp-json/hippoo-auth/v1/social-login/wp-json/hippoo-auth/v1/orders/wp-json/hippoo-auth/v1/orders/(?P<order_id>\d+)/wp-json/hippoo-auth/v1/addresses/wp-json/hippoo-auth/v1/settings
FAQ

Frequently Asked Questions about Hippoo Auth