CVE-2026-49065: WordPress Hippoo Mobile App for WooCommerce plugin <= 1.9.5 - Broken Access Control vulnerability
Unauthenticated Broken Access Control in Hippoo Mobile App for WooCommerce <= 1.9.5 versions.
Metrics
- CVSS v3.1
- 8.2
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Broken access control in the Hippoo Mobile App for WooCommerce WordPress plugin (versions 1.9.5 and earlier) allows unauthenticated network attackers to reach restricted functionality without logging in. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates the vulnerability is reachable over the network, requires no credentials, and can be triggered reliably without any victim interaction. Successful exploitation gives an attacker high-confidence read access to sensitive data and limited ability to modify content. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment upstream ships a fix.
HarborGuard Coverage
Detection for CVE-2026-49065 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against all customer images, including custom-built WordPress or WooCommerce images that bundle this plugin.
AvailableTriage is available with a CVSS base score of 8.2 (HIGH) applied automatically; per-environment compliance policy weighting can escalate or suppress the finding based on each customer org's risk profile, and routing to the appropriate team inbox is supported out of the box.
AvailableNo fix version has been published upstream for this CVE. HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer releases a remediated version of the plugin.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the WordPress site over the network; the plugin's vulnerable endpoint is exposed via standard HTTP/HTTPS without any network-layer restriction.
- AuthenticationNot required
No account or session token is needed; the broken access control flaw allows any anonymous request to reach the protected functionality.
- Victim interactionNot required
The attack is fully server-side and requires no action from any logged-in user or administrator.
- Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions, special memory layout, or environmental prerequisites are involved.
Blast Radius
- Reads restricted WooCommerce or store data, such as order details, customer records, or plugin configuration that should require authentication to access.
- Makes limited modifications to store data or plugin state through the exposed access-controlled endpoint.
- Provides a foothold for further enumeration of the WordPress installation, including probing for additional unauthenticated endpoints.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-49065 is active against any image that bundles Hippoo Mobile App for WooCommerce at version 1.9.5 or earlier. Because no upstream fix exists yet, HarborGuard monitors the Patchstack advisory on every ingest cycle. In the interim, compensating controls worth considering include network-policy isolation to restrict public access to the affected plugin routes, egress filtering to limit what the plugin endpoint can reach internally, and temporarily disabling the plugin via feature-flag or deployment config if the mobile app functionality is non-critical. For customers who opt into auto-remediation, a patched-image rebuild and regression-test run will be triggered automatically, and a PR will be opened against affected workloads as soon as the upstream maintainer publishes a fix version.
- hippooo / Hippoo Mobile App for WooCommerce≤ 1.9.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N