[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fmZpZcfFOj2gf0NXWoRaYd1PaHPulRpNQbvLKQDQClq8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20},"CVE-2025-12655","hippoo-mobile-app-for-woocommerce-missing-authorization-to-unauthenticated-limited-file-write","Hippoo Mobile App for WooCommerce \u003C= 1.7.1 - Missing Authorization to Unauthenticated Limited File Write","The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to arbitrary file write via a missing authorization check in all versions up to, and including, 1.7.1. This is due to the REST API endpoint `\u002Fwp-json\u002Fhippoo\u002Fv1\u002Fwc\u002Ftoken\u002Fsave_callback\u002F{token_id}` being registered with `permission_callback => '__return_true'`, which allows unauthenticated access. This makes it possible for unauthenticated attackers to write arbitrary JSON content to the server's publicly accessible upload directory via the vulnerable endpoint.","hippoo",null,"\u003C=1.7.1","1.7.2","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2025-12-11 17:41:07","2025-12-12 06:32:59",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd34701a0-c745-441c-8d6c-7befc877f8d0?source=api-prod",1]