A critical authentication bypass in the Hippoo Mobile App for WooCommerce plugin lets unauthenticated attackers seize administrator accounts with a single API call. No credentials required.

Quick Overview

• Affects Hippoo Mobile App for WooCommerce versions up to and including 1.9.4 (CVE-2026-10580, CVSS 9.8 Critical).
• A logic flaw in the plugin’s permission checks treats anonymous visitors as administrators, exposing every REST endpoint the plugin registers.
• An attacker can reset an admin password with a single POST to the plugin’s REST path and then log in as that admin.
• Update to 1.9.5 immediately or deactivate the plugin until you can patch

A severe security flaw in the Hippoo Mobile App for WooCommerce plugin gives any anonymous attacker administrator-level access to affected WordPress sites. No username. No password. Just a single API call.

Tracked as CVE-2026-10580 and rated 9.8 (Critical) on the CVSS scale, the vulnerability was disclosed on June 5, 2026, by Wordfence, credited to security researcher Nguyen Hung. It affects all versions of the plugin up to and including 1.9.4, which is installed on thousands of WooCommerce stores worldwide.

If your site runs Hippoo and you haven’t updated yet, treat this as urgent.

What Is Hippoo and Who Is at Risk?

Hippoo WordPress plugin links WooCommerce stores to a companion mobile app so store owners can manage products, orders, and customers from their phones. Because many sites install this plugin, the vulnerability affects a large number of stores. If your site has Hippoo 1.9.4 or earlier installed and active, you’re exposed even if you never used the mobile app

How the Authentication Bypass Works

The bug sits in HippooPermissions::get_user_permissions(), the function that decides a user’s role. Due to a logic error, the function returns the same null value for both admins and unauthenticated visitors. The plugin then treats that null as full admin access.

That single mistake breaks checks across the plugin:

• HippooPermissions::has_role_access() interprets the null as admin rights.
• The plugin assigns __return_true as the permission callback for many REST routes under /wc-hippoo/v1/ext/, removing access controls.
• The plugin re-registers those routes without requiring authentication.
• The guard that should block unauthenticated requests relies on the same broken logic and fails.

Attackers can call core REST endpoints through the plugin’s extension paths. The simplest exploit sends a POST to /wc-hippoo/v1/ext/wp/v2/users/<admin_id> with {"password":"attacker_chosen_password"}, which resets the admin password. The attacker logs in with that password and takes full control. No exploit kit, no brute force — just one HTTP request.

Why this deserves a 9.8 (Critical) rating

This vulnerability scores high on every relevant CVSS axis:

• Attack vector: network — fully remote.
• Complexity: low — no special conditions.
• Privileges required: none — unauthenticated.
• User interaction: none.
• Impact: high on confidentiality, integrity, and availability — an attacker can read sensitive information, modify site content, and cripple the store.

How bad an attack could be

Full admin access on a WooCommerce store lets threat actors steal customer personal information, order histories, and possibly payment details. Attackers can install malicious plugins, inject malicious code or skimmers into checkout web pages, redirect transactions, or hold the site for ransom. Once attackers gain access, they may maintain it by installing backdoors or stealing API keys. Mass scans and exploitation campaigns are likely, since the attack requires only basic HTTP requests and proof-of-concept code will probably spread fast.

Immediate actions you should take

1. Update or deactivate

• Update Hippoo to version 1.9.5 now. The patch (changeset 3557733) fixes the permission logic.
• If you can’t update immediately, deactivate the plugin. An inactive plugin won’t expose those REST endpoints.

1. Check for compromise

• Review Users in your WordPress dashboard for unknown admin accounts.
• Inspect recent password changes and audit logs for suspicious activity.
• Look for newly installed plugins or modifications that you didn’t authorize.

1. Scan and clean

• Run a malware scan with Wordfence or another security tool. Look for malware injection and malicious content, including injected SEO spam injection that attackers use to boost malicious pages in search engine rankings.
• Remove any malicious software, backdoors, or unauthorized plugins.

1. Rotate credentials and keys

• Change admin passwords and any API keys stored on the site.
• Revoke and reissue any plugin subscription keys or tokens that might give remote access.

1. Harden and monitor

• Add a temporary WAF rule to block unauthenticated POST requests to paths containing /wc-hippoo/v1/ext/wp/v2/users/.
• Enable multi-factor authentication and tighten admin access to reduce the chance of stealing data after initial compromise.
• Monitor logs and IP addresses for suspicious access patterns and notify your security team if you find indicators of compromise.

This Is Part of a Broader Pattern

This isn’t an isolated event. Similar WooCommerce-adjacent plugins have suffered critical authentication bypasses before (for example, a near-identical issue in WooCommerce Payments in 2023). Attackers exploit plugin and theme entry points when developers make mistakes in auth logic. Each installed plugin increases your attack surface; nulled plugins and nulled wordpress plugin downloads add even more risk because they may already contain malicious code or malware injection vectors. Keep your plugin list lean, audit plugins regularly, and avoid nulled plugins or untrusted sources.

SEO and post-compromise risks

After a breach, attackers often inject malicious content to manipulate search engine rankings. They may insert SEO spam injection into web pages, add hidden redirects, or create pages that expose your site URL and domain to blacklists. Those activities damage both trust and organic traffic. Clean up quickly and submit requests to search engines to remove malicious pages.

Frequently asked questions

Am I vulnerable if Hippoo is installed but I don’t use the mobile app?

Yes. The vulnerable endpoints register when the plugin is active, regardless of whether you use the app. Deactivate and update to 1.9.5.

How do I tell if my site was compromised?

Check for unknown admin users, unexpected password resets, recently added plugins, or evidence of malware injection. Run security scans and audit logs for access from suspicious IP addresses.

Will Wordfence block this automatically?

Wordfence often releases firewall rules for critical bugs quickly. Ensure your security tools and signatures are up to date. Nevertheless, patching the plugin is the only permanent fix.

Where do I get the patch?

Update the plugin from WordPress Dashboard > Plugins > Installed Plugins, or download version 1.9.5 from the WordPress plugin repository.

Final recommendations

• Update to Hippoo 1.9.5 or deactivate the plugin.
• Scan for malicious code, malware injection, and SEO spam injection.
• Rotate admin credentials, API keys, and plugin subscription tokens.
• Use multi-factor authentication and web application firewalls.
• Audit installed plugins and avoid nulled plugins or untrusted downloads to reduce the risk of introducing malicious software.