An authentication bypass vulnerability in the Hippoo Mobile App for WooCommerce WordPress plugin, tracked as CVE-2026-10580 (CVSS 9.8), allows unauthenticated attackers to gain administrator-level access to WordPress sites. The vulnerability exists because the plugin’s permission checking function returns the same null sentinel for both administrators and unauthenticated visitors, creating a logic conflation that enables full account takeover with no credentials.
What Is the Vulnerability?
CVE-2026-10580 is an improper authorization vulnerability (CWE-285) in HippooPermissions::get_user_permissions(). The function is designed to return different permission levels based on the user’s authentication status and role. However, due to a logic flaw, the function returns the same null sentinel value for both administrators and unauthenticated visitors — making the plugin unable to distinguish between a logged-in administrator and an anonymous user with no credentials at all.
The practical result is that any endpoint or functionality protected by this permission check can be accessed without authentication. An attacker who discovers or enumerates protected endpoints can invoke administrator-level functionality — including creating new administrator accounts, modifying site settings, or accessing user data — with no credentials, no session, and no prior access to the site.
This follows the pattern of WP Maps Pro (CVE-2026-8732) and Burst Statistics (CVE-2026-8181) — WordPress plugins where logic conflation between unauthenticated and administrative states enables trivial site takeover.
- CVSS v3.1 Score: 9.8 (Critical)
- CWE: CWE-285 (Improper Authorization)
- Attack Vector: Network — no authentication required
Which Versions Are Affected?
- Hippoo Mobile App for WooCommerce: all versions up to and including 1.9.4
Is It Being Exploited in the Wild?
No active exploitation has been publicly confirmed. However, CVSS 9.8 with unauthenticated admin takeover makes this trivially exploitable — automated scanning for vulnerable WordPress plugins typically begins within days of CVE publication.
What Is the Fix?
Update the Hippoo Mobile App for WooCommerce plugin to a version beyond 1.9.4. If an update is not yet available, disable the plugin until the patch can be applied.
Recommendations
Update or disable Hippoo Mobile App immediately. Unauthenticated admin takeover with CVSS 9.8 is an emergency-patch scenario.
Audit for rogue admin accounts. After updating, check Users > All Users for unrecognised administrator accounts — particularly recently created accounts with unusual usernames or email addresses.
Review WooCommerce data. If exploitation is suspected, review order history, customer data, and payment settings for unauthorised modifications or data exfiltration.
References
This advisory was first covered in the broader Vulnerability Intelligence Report — June 6, 2026.
