Authentication Bypass and Administrator Account Takeover in Hippoo Mobile App for WooCommerce
CVE-2026-10580 affects the Hippoo Mobile App for WooCommerce plugin for WordPress in all versions up to and including 1.9.4. The flaw is caused by authorization logic in HippooPermissions::get_user_permissions() and HippooPermissions::has_role_access(). Specifically, get_user_permissions() returns the same null sentinel value for both administrators and unauthenticated visitors, and has_role_access() incorrectly interprets that value as full administrator access. As a result, when HippooControllerWithAuth::re_register_external_routes() clones WordPress and WooCommerce REST routes under /wc-hippoo/v1/ext/, override_extension_permission_callback() assigns __return_true as the permission callback for those routes. The related block_unauthorized_access() pre-dispatch guard also fails to stop unauthenticated requests for the same reason. This exposes cloned core REST endpoints to unauthenticated access. The most critical documented exploitation path is sending a POST request to /wc-hippoo/v1/ext/wp/v2/users/<id> with a JSON body such as {"password":"<new_password>"}, allowing an attacker to reset the password of any WordPress user, including an administrator.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
No valid public exploits. Mallory filtered out 2 candidates as fakes, detection scripts, or README-only repos.
All candidate exploits were filtered out by Mallory's validation.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.