CVE-2026-49060

Vulnerability

The Hippoo Mobile App for WooCommerce plugin for WordPress versions from n/a through 1.9.4 contain an Incorrect Privilege Assignment vulnerability [1]. This flaw allows an attacker to escalate their privileges without requiring authentication, due to improper handling of user role assignments in the plugin's code [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability without any prior access or special network position [1]. The attacker sends crafted HTTP requests to the WordPress site running the vulnerable plugin, which triggers the incorrect privilege assignment and elevates the attacker's role to a higher privilege level [1]. No user interaction is required, and the attack can be executed remotely [1].

Impact

Successful exploitation leads to privilege escalation, allowing an attacker to gain administrative-level access to the WordPress site [1]. This can result in full site compromise, including the ability to modify content, install malicious plugins, create new admin accounts, and potentially take over the entire website [1]. The CVSS v3 score is 9.8 (Critical) [1].

Mitigation

The vulnerability is fixed in version 1.9.5 of the plugin [1]. Users are strongly advised to update immediately as this vulnerability is listed as Known to be Exploited (KEV) and is expected to be used in mass-exploit campaigns [1]. For those unable to update, Patchstack provides a mitigation rule to block attacks until the update is applied [1]. Auto-update for vulnerable plugins can be enabled for Patchstack users [1].