How is CVE-2026-10580 exploited?

Network reachability (required): The attacker must reach the WordPress REST API over the network; the vulnerable routes under /wc-hippoo/v1/ext/ are exposed via standard HTTP, making any internet-facing or network-accessible WordPress installation exploitable. Authentication (not-required): No credentials of any kind are needed; the permission-checking flaw grants unauthenticated requests the same access level as a site administrator. Victim interaction (not-required): The attacker sends a direct HTTP request to the target API endpoint with no required action from any user or administrator. Attack complexity (info): Exploitation is reliable and condition-free: a single well-formed POST request with a JSON body is sufficient, with no race conditions, memory layout dependencies, or environmental factors to navigate.

What is the impact of CVE-2026-10580?

The attacker resets the password of any WordPress user, including the site administrator, and gains full administrative control of the WordPress installation. With administrator access, the attacker reads all stored data including customer records, order history, payment details, and WooCommerce configuration. The attacker modifies or deletes site content, user accounts, plugin settings, and persisted database rows across the WordPress installation. The attacker can install malicious plugins or themes, establishing persistent backdoor access or pivoting to the underlying host if server configuration permits.

Back to search

CRITICALCVE-2026-10580Published 2026-06-05Modified 2026-06-05CNA Wordfence

CVE-2026-10580: Hippoo Mobile App for WooCommerce <= 1.9.4 - Unauthenticated Authentication Bypass to Administrator Account Takeover via REST API

The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up to and including 1.9.4. This is due to a logic conflation in HippooPermissions::get_user_permissions(), which returns the same null sentinel for both administrators and unauthenticated visitors — a value that HippooPermissions::has_role_access() unconditionally interprets as full administrator access — causing override_extension_permission_callback() to assign __return_true as the permission callback for every WordPress and WooCommerce REST route cloned under /wc-hippoo/v1/ext/ by HippooControllerWithAuth::re_register_external_routes(), while the block_unauthorized_access() pre-dispatch guard fails to block unauthenticated users for the same reason. This makes it possible for unauthenticated attackers to invoke any core REST endpoint without credentials — most critically, sending a POST request to /wc-hippoo/v1/ext/wp/v2/users/<id> with a {"password":"<new_password>"} body to reset the password of any WordPress user, including the site administrator, and gain full administrative control of the site.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An authentication bypass vulnerability in the Hippoo Mobile App for WooCommerce WordPress plugin (versions up to and including 1.9.4) allows any unauthenticated attacker to reach all REST API endpoints without credentials. A logic flaw in the plugin's permission-checking code causes it to treat unauthenticated visitors identically to administrators, granting full access to every cloned REST route under /wc-hippoo/v1/ext/. Exploitation is trivial: a single unauthenticated POST request is sufficient to reset any WordPress user's password, including the site administrator, resulting in complete site takeover. No fix version has been published; HarborGuard is tracking this advisory for patch availability.

HarborGuard Coverage

Detection

Detection for CVE-2026-10580 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Wordfence) within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built WordPress and WooCommerce images that bundle this plugin. Any image containing the hippooo/Hippoo plugin at version 1.9.4 or earlier will surface as affected.

Available

Triage

Triage is available with the full CVSS v3.1 score of 9.8 (Critical) applied automatically, weighted against each customer organization's compliance policy to determine escalation priority. Findings are routed to the appropriate team inbox within each customer org based on configured ownership rules for WordPress or WooCommerce workloads.

Available

Patch

No upstream fix has been published for this CVE. HarborGuard re-checks the Wordfence advisory on every ingest cycle, and a patched-image rebuild will become available automatically the moment a fix version is released upstream. In the interim, customers can apply compensating controls through HarborGuard's policy engine, such as network-policy isolation for affected workloads or egress filtering to restrict external access to the /wc-hippoo/v1/ext/ route namespace.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WordPress REST API over the network; the vulnerable routes under /wc-hippoo/v1/ext/ are exposed via standard HTTP, making any internet-facing or network-accessible WordPress installation exploitable.
AuthenticationNot required
No credentials of any kind are needed; the permission-checking flaw grants unauthenticated requests the same access level as a site administrator.
Victim interactionNot required
The attacker sends a direct HTTP request to the target API endpoint with no required action from any user or administrator.
Attack complexityDetail
Exploitation is reliable and condition-free: a single well-formed POST request with a JSON body is sufficient, with no race conditions, memory layout dependencies, or environmental factors to navigate.

Blast Radius

The attacker resets the password of any WordPress user, including the site administrator, and gains full administrative control of the WordPress installation.
With administrator access, the attacker reads all stored data including customer records, order history, payment details, and WooCommerce configuration.
The attacker modifies or deletes site content, user accounts, plugin settings, and persisted database rows across the WordPress installation.
The attacker can install malicious plugins or themes, establishing persistent backdoor access or pivoting to the underlying host if server configuration permits.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-10580, HarborGuard monitors the Wordfence advisory on every ingest cycle and will make a patched-image rebuild available automatically as soon as a fix version is published. In the meantime, customers with affected images are surfaced immediately with a Critical severity finding. Where compliance policy permits, HarborGuard can apply compensating controls including network-policy isolation to restrict external access to the /wc-hippoo/v1/ext/ route prefix, egress filtering on affected workloads, and feature-flag or WAF rule suggestions to block unauthenticated POST requests to the cloned user-management endpoints. For customers who opt into auto-remediation, a rebuild, regression-test run, and PR against affected workloads will be triggered without delay once the upstream patch is available.

See how HarborGuard automates this

Affected packages

hippooo / Hippoo Mobile App for WooCommerce
≤ 1.9.4

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified