{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12655", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-03T20:38:38.858Z", "datePublished": "2025-12-12T06:32:58.585Z", "dateUpdated": "2026-04-08T17:25:33.371Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:25:33.371Z"}, "affected": [{"vendor": "hippooo", "product": "Hippoo Mobile App for WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.7.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to arbitrary file write via a missing authorization check in all versions up to, and including, 1.7.1. This is due to the REST API endpoint `/wp-json/hippoo/v1/wc/token/save_callback/{token_id}` being registered with `permission_callback => '__return_true'`, which allows unauthenticated access. This makes it possible for unauthenticated attackers to write arbitrary JSON content to the server's publicly accessible upload directory via the vulnerable endpoint."}], "title": "Hippoo Mobile App for WooCommerce <= 1.7.1 - Missing Authorization to Unauthenticated Limited File Write", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d34701a0-c745-441c-8d6c-7befc877f8d0?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/hippoo/tags/1.6.1/app/web_api.php#L45"}, {"url": "https://plugins.trac.wordpress.org/browser/hippoo/tags/1.6.1/app/web_api.php#L117"}, {"url": "https://plugins.trac.wordpress.org/browser/hippoo/tags/1.6.1/app/utils.php#L1"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "NumeX"}], "timeline": [{"time": "2025-11-05T21:30:19.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-11T17:41:07.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-12T20:32:30.532225Z", "id": "CVE-2025-12655", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-12T20:32:42.360Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12655", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-12T20:32:30.532225Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-12T20:32:36.948Z"}}], "cna": {"title": "Hippoo Mobile App for WooCommerce <= 1.7.1 - Missing Authorization to Unauthenticated Limited File Write", "credits": [{"lang": "en", "type": "finder", "value": "NumeX"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "hippooo", "product": "Hippoo Mobile App for WooCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.7.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-05T21:30:19.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-11T17:41:07.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d34701a0-c745-441c-8d6c-7befc877f8d0?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/hippoo/tags/1.6.1/app/web_api.php#L45"}, {"url": "https://plugins.trac.wordpress.org/browser/hippoo/tags/1.6.1/app/web_api.php#L117"}, {"url": "https://plugins.trac.wordpress.org/browser/hippoo/tags/1.6.1/app/utils.php#L1"}], "descriptions": [{"lang": "en", "value": "The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to arbitrary file write via a missing authorization check in all versions up to, and including, 1.7.1. This is due to the REST API endpoint `/wp-json/hippoo/v1/wc/token/save_callback/{token_id}` being registered with `permission_callback => '__return_true'`, which allows unauthenticated access. This makes it possible for unauthenticated attackers to write arbitrary JSON content to the server's publicly accessible upload directory via the vulnerable endpoint."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:25:33.371Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12655", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:25:33.371Z", "dateReserved": "2025-11-03T20:38:38.858Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-12T06:32:58.585Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to arbitrary file write via a missing authorization check in all versions up to, and including, 1.7.1. This is due to the REST API endpoint `/wp-json/hippoo/v1/wc/token/save_callback/{token_id}` being registered with `permission_callback => '__return_true'`, which allows unauthenticated access. This makes it possible for unauthenticated attackers to write arbitrary JSON content to the server's publicly accessible upload directory via the vulnerable endpoint."}], "id": "CVE-2025-12655", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-12T07:15:44.180", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/hippoo/tags/1.6.1/app/utils.php#L1"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/hippoo/tags/1.6.1/app/web_api.php#L117"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/hippoo/tags/1.6.1/app/web_api.php#L45"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d34701a0-c745-441c-8d6c-7befc877f8d0?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T00:50:53.776395+00:00", "value": {"mitigation_remediation": ["Update the Hippoo Mobile App for WooCommerce plugin to version 1.7.2 or later, which removes the unauthenticated write endpoint.", "If an update is not yet available, disable or remove the vulnerable REST endpoint so that only authenticated users can access it.", "Restrict write permissions on the public uploads directory to limit the impact of any potential write attempts, and consider using access controls such as .htaccess rules to block executable uploads."], "summary": {"action": "Patch Immediately", "impact": "Unauthenticated File Write"}, "threat_synthesis": {"affected_systems": "All installations of the Hippoo Mobile App for WooCommerce plugin up to and including version 1.7.1 are affected. The vulnerability exists in the plugin\u2019s REST API implementation and applies to any WordPress site running these versions.", "description_and_impact": "The Hippoo Mobile App for WooCommerce plugin is vulnerable because a REST API endpoint allows file write without any authentication. An attacker can submit arbitrary JSON payloads to the endpoint and have them stored in the site's public upload directory, potentially leading to malicious scripts or data being placed on the server. The flaw is a missing permission callback, classified as CWE-862, and can compromise confidentiality, integrity, or availability if the attacker injects code.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation at the time of assessment. The vulnerability is not listed in CISA\u2019s KEV catalog. An attacker can exploit the fault simply by accessing the unauthenticated REST endpoint, which requires network access to the site but no credentials. Successful exploitation would grant arbitrary file writes, which could in turn enable remote code execution or site defacement if the uploaded file is executed by the web server."}}}}, "created": "2025-12-14T21:17:05.718759+00:00", "updated": "2026-04-21T01:00:12.955566+00:00", "vendors": ["hippooo", "hippooo$PRODUCT$hippoo_mobile_app_for_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}