Hippoo Mobile App for WooCommerce <= 1.9.5 - Missing Authorization
Description
The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.9.5. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
What Changed in the Fix
Changes introduced in v1.9.6
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-49065 ## 1. Vulnerability Summary The **Hippoo Mobile App for WooCommerce** plugin (versions <= 1.9.5) contains a missing authorization vulnerability. The plugin registers several AJAX actions and potentially hooks into `admin_init` or `init` to handle settin…
Show full research plan
Exploitation Research Plan - CVE-2026-49065
1. Vulnerability Summary
The Hippoo Mobile App for WooCommerce plugin (versions <= 1.9.5) contains a missing authorization vulnerability. The plugin registers several AJAX actions and potentially hooks into admin_init or init to handle settings and role permissions. Based on the provided source and common patterns in this plugin, the vulnerability likely stems from a state-changing function (like saving settings or modifying roles) that lacks a current_user_can() capability check, or is incorrectly hooked to admin_init, allowing unauthenticated attackers to trigger the action via admin-ajax.php.
2. Attack Vector Analysis
- Endpoint:
wp-admin/admin-ajax.phpor a REST API endpoint underwp-json/. - Action: Likely
hippoo_save_permission_role,hippoo_add_permission_role, or a general settings save action (e.g.,hippoo_save_settings). - Authentication: None required (unauthenticated).
- Parameters:
action: The AJAX action string.nonce: A security nonce (which may be obtainable from the frontend).role_key: The target user role (e.g.,customer,subscriber).hippoo_permissions_settings: The configuration payload.
3. Code Flow
- Entry Point:
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.