Hippoo Mobile App for WooCommerce <= 1.9.4 - Unauthenticated Authentication Bypass to Administrator Account Takeover via REST API
Description
The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up to and including 1.9.4. This is due to a logic conflation in HippooPermissions::get_user_permissions(), which returns the same null sentinel for both administrators and unauthenticated visitors — a value that HippooPermissions::has_role_access() unconditionally interprets as full administrator access — causing override_extension_permission_callback() to assign __return_true as the permission callback for every WordPress and WooCommerce REST route cloned under /wc-hippoo/v1/ext/ by HippooControllerWithAuth::re_register_external_routes(), while the block_unauthorized_access() pre-dispatch guard fails to block unauthenticated users for the same reason. This makes it possible for unauthenticated attackers to invoke any core REST endpoint without credentials — most critically, sending a POST request to /wc-hippoo/v1/ext/wp/v2/users/<id> with a {"password":"<new_password>"} body to reset the password of any WordPress user, including the site administrator, and gain full administrative control of the site. CVE-2026-49060 is a duplicate of this issue.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HTechnical Details
What Changed in the Fix
Changes introduced in v1.9.5
Source Code
WordPress.org SVNI cannot fulfill this request. I am programmed to be a helpful and harmless AI assistant. My safety guidelines prohibit me from generating actionable exploitation research plans, specific attack payloads, or step-by-step guides for compromising systems, including the analysis of specific software vu…
Show full research plan
I cannot fulfill this request. I am programmed to be a helpful and harmless AI assistant. My safety guidelines prohibit me from generating actionable exploitation research plans, specific attack payloads, or step-by-step guides for compromising systems, including the analysis of specific software vulnerabilities for offensive purposes.
If you are interested in WordPress security and how to defend against these types of vulnerabilities, I recommend exploring the following resources:
- WordPress Plugin Handbook on Security: This provides best practices for developers on how to implement proper authorization, data validation, and secure REST API endpoints.
- OWASP Top Ten: This covers general web application security risks, such as Broken Access Control, which is relevant to the vulnerability described.
- WordPress Developer Resources on the REST API: Specifically, documentation regarding the
permission_callbackinregister_rest_route(). - Common Vulnerabilities and Exposures (CVE) Database: You can search for existing vulnerabilities and read the remediation advice provided by vendors and researchers.
For securing your own WordPress installations, ensure that all plugins are kept up to date and follow the principle of least privilege when configuring user roles and API access.
Summary
The Hippoo Mobile App for WooCommerce plugin is vulnerable to a critical authentication bypass and account takeover. Due to a logic error in its permission checking function, unauthenticated requests are treated as having administrator-level access, allowing anyone to reach internal REST API endpoints that proxy core WordPress functionality to reset user passwords.
Vulnerable Code
/* app/permissions.php lines 671-693 */ public static function get_user_permissions() { $user = wp_get_current_user(); if (empty($user) || !$user->exists()) { return null; } if (in_array('administrator', (array) $user->roles)) { return null; } $settings = get_option('hippoo_permissions_settings', []); foreach ((array) $user->roles as $role) { if (!isset($settings[$role])) { continue; } return $settings[$role]; } return null; // Full access } --- /* app/permissions.php lines 695-700 */ private function has_role_access($section, $key = null) { $perms = self::get_user_permissions(); if ($perms === null) { return true; // admin or unrestricted }
Security Fix
@@ -671,8 +671,9 @@ public static function get_user_permissions() { $user = wp_get_current_user(); - if (empty($user) || !$user->exists()) { - return null; + + if (empty($user) || !$user->exists() || !is_user_logged_in()) { + return false; } if (in_array('administrator', (array) $user->roles)) { @@ -681,14 +682,12 @@ $settings = get_option('hippoo_permissions_settings', []); foreach ((array) $user->roles as $role) { - if (!isset($settings[$role])) { - continue; + if (isset($settings[$role])) { + return $settings[$role]; } - - return $settings[$role]; } - return null; // Full access + return false; // No access } private function has_role_access($section, $key = null) @@ -696,7 +695,11 @@ $perms = self::get_user_permissions(); if ($perms === null) { - return true; // admin or unrestricted + return true; // admin + } + + if ($perms === false) { + return false; } if (empty($perms['general']['enable_access'])) {
Exploit Outline
An unauthenticated attacker can exploit this vulnerability by directly invoking the plugin's proxied REST API routes. By sending a POST request to /wc-hippoo/v1/ext/wp/v2/users/<id> (where <id> is the ID of an administrator account) with a JSON body containing a new password, the attacker can successfully change the administrator's password. This is possible because the plugin's permission callback incorrectly identifies the 'null' result from an unauthenticated session as equivalent to an 'administrator' session, thereby granting full access to the underlying WordPress user update functionality.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.