A critical authentication bypass in the Hippoo Mobile App for WooCommerce WordPress plugin (versions ≤ 1.9.4) lets unauthenticated attackers reset any user's password and seize full administrator control of the site.
What Is It
CVE-2026-10580 is a CVSS 9.8 (CRITICAL) authorization flaw (CWE-285) in the Hippoo Mobile App for WooCommerce plugin for WordPress. The root cause is a logic conflation in HippooPermissions::get_user_permissions(), which returns the same null sentinel for both administrators and unauthenticated visitors. HippooPermissions::has_role_access() then unconditionally interprets that sentinel as full administrator access. As a result, override_extension_permission_callback() assigns __return_true as the permission callback for every WordPress and WooCommerce REST route cloned under /wc-hippoo/v1/ext/ by HippooControllerWithAuth::re_register_external_routes(), while the block_unauthorized_access() pre-dispatch guard fails to stop unauthenticated users for the same reason.
Why It Matters
The attack requires no credentials, no user interaction, and only network access (AV:N/AC:L/PR:N/UI:N). An attacker can invoke any core REST endpoint through the plugin's proxy. Most critically, a POST to /wc-hippoo/v1/ext/wp/v2/users/<id> with a body of {"password":"<new_password>"} resets the password of any WordPress user, including the site administrator, yielding total site compromise. Confidentiality, integrity, and availability impacts are all rated HIGH.
What's Vulnerable
- Plugin: Hippoo Mobile App for WooCommerce (WordPress plugin)
- Affected versions: All versions up to and including 1.9.4
- Weakness: CWE-285 (Improper Authorization)
- Vector: Network-reachable REST routes under
/wc-hippoo/v1/ext/
No CISA KEV entry is present for this CVE at the time of writing; active exploitation has not been confirmed by KEV.
Patch Status
A fix has been committed upstream; see WordPress.org plugin changeset 3557733. Site operators running Hippoo Mobile App for WooCommerce ≤ 1.9.4 should update to the patched release immediately. Until patched, the plugin should be deactivated, as any internet-reachable installation is trivially exploitable by an unauthenticated attacker.