CVE-2026-49065

Hippoo Mobile App for WooCommerce <= 1.9.5 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
1.9.6
Patched in
8d
Time to patch

Description

The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.9.5. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.9.5
PublishedJune 8, 2026
Last updatedJune 15, 2026
Affected pluginhippoo

What Changed in the Fix

Changes introduced in v1.9.6

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-49065 ## 1. Vulnerability Summary The **Hippoo Mobile App for WooCommerce** plugin (versions <= 1.9.5) contains a missing authorization vulnerability. The plugin registers several AJAX actions and potentially hooks into `admin_init` or `init` to handle settin…

Show full research plan

Exploitation Research Plan - CVE-2026-49065

1. Vulnerability Summary

The Hippoo Mobile App for WooCommerce plugin (versions <= 1.9.5) contains a missing authorization vulnerability. The plugin registers several AJAX actions and potentially hooks into admin_init or init to handle settings and role permissions. Based on the provided source and common patterns in this plugin, the vulnerability likely stems from a state-changing function (like saving settings or modifying roles) that lacks a current_user_can() capability check, or is incorrectly hooked to admin_init, allowing unauthenticated attackers to trigger the action via admin-ajax.php.

2. Attack Vector Analysis

  • Endpoint: wp-admin/admin-ajax.php or a REST API endpoint under wp-json/.
  • Action: Likely hippoo_save_permission_role, hippoo_add_permission_role, or a general settings save action (e.g., hippoo_save_settings).
  • Authentication: None required (unauthenticated).
  • Parameters:
    • action: The AJAX action string.
    • nonce: A security nonce (which may be obtainable from the frontend).
    • role_key: The target user role (e.g., customer, subscriber).
    • hippoo_permissions_settings: The configuration payload.

3. Code Flow

  1. Entry Point:

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.