A critical broken access control vulnerability in the Hippoo Mobile App for WooCommerce allows unauthenticated attackers to bypass security restrictions and access unauthorized functionality.

This is an unauthenticated broken access control flaw where the application fails to enforce proper authorization checks on sensitive backend functions. This allows an attacker to interact with the API or application features without needing to provide valid credentials.

With a CVSS score of 8.2, this vulnerability poses a high risk to the security of the WooCommerce store. Unauthorized access could lead to the exposure of customer personal identifiable information (PII), order history, or the ability to manipulate store settings, causing significant reputational and financial damage.

Immediate Action: Update the Hippoo Mobile App for WooCommerce to the latest version that includes the security patch for access control.

Proactive Monitoring: Audit API logs for suspicious access patterns or unauthorized calls to administrative or sensitive endpoints.

Compensating Controls: Use a Web Application Firewall (WAF) to restrict access to sensitive API paths and monitor for unusual request volumes from external IP addresses.

Public Exploit Available: false

Broken access control is a major security failure that can lead to complete data exposure. It is imperative that users of this plugin update to the latest version immediately to close the security gap and protect store data.