An authentication bypass vulnerability in the Hippoo Mobile App for WooCommerce plugin allows unauthenticated attackers to gain full administrative control of WordPress sites.

A logic conflation in the plugin's permission handling allows unauthenticated users to access REST API endpoints. This enables an attacker to send a POST request to the user update endpoint and reset the password of any user, including site administrators, resulting in a full account takeover.

With a CVSS score of 9.8, this vulnerability poses an existential threat to any WordPress site running the affected plugin. An attacker can gain full administrative access, leading to complete site defacement, data theft, malware distribution, or total loss of control over the infrastructure.

Immediate Action: Deactivate and uninstall the Hippoo Mobile App for WooCommerce plugin until a secure version is confirmed available, or restrict access to the /wc-hippoo/v1/ext/ REST routes.

Proactive Monitoring: Review WordPress user account modification logs for any unauthorized password resets or unexpected administrative account creations.

Compensating Controls: Use a Web Application Firewall (WAF) to block requests to the /wc-hippoo/v1/ext/ path to prevent unauthenticated access to these vulnerable endpoints.

Public Exploit Available: False

Given the ease with which an attacker can escalate to full administrative control, organizations should immediately disable the vulnerable plugin. Until a patch is confirmed, the site remains at extreme risk of compromise from remote, unauthenticated attackers.