CVE-2026-49065

Vulnerability

The Hippoo Mobile App for WooCommerce plugin for WordPress versions up to and including 1.9.5 suffers from an unauthenticated broken access control vulnerability. The plugin fails to properly enforce authorization, authentication, or nonce token checks in certain functions, allowing unauthenticated users to perform actions intended for higher-privileged users. [1]

Exploitation

An attacker can exploit this vulnerability without any authentication or prior access. By sending crafted requests to the vulnerable endpoints, an unauthenticated attacker can trigger functions that lack proper access controls. The vulnerability is expected to be used in mass-exploit campaigns targeting thousands of websites regardless of size or popularity. [1]

Impact

Successful exploitation allows an unauthenticated attacker to execute higher-privileged actions, potentially leading to full site compromise, data theft, or other malicious outcomes. The CVSS score of 8.2 (High) reflects the severity and ease of exploitation. [1]

Mitigation

The vulnerability is fixed in version 1.9.6 of the plugin. Users are strongly advised to update immediately. For those unable to update, Patchstack has issued a mitigation rule to block attacks until the update is applied. Auto-update can be enabled for vulnerable plugins. [1]