{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13339", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-17T22:04:06.883Z", "datePublished": "2025-12-10T04:24:13.033Z", "dateUpdated": "2026-04-08T16:33:47.451Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:33:47.451Z"}, "affected": [{"vendor": "hippooo", "product": "Hippoo Mobile App for WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.7.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.7.1 via the template_redirect() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information."}], "title": "Hippoo Mobile App for WooCommerce <= 1.7.1 - Unauthenticated Arbitrary File Read", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/06900b4b-6607-4b25-b4bc-2e2906160421?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3412701/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Moose Love"}], "timeline": [{"time": "2025-11-07T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-11-17T22:19:26.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-09T16:23:50.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-10T15:22:03.535796Z", "id": "CVE-2025-13339", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-10T15:22:18.527Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13339", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-10T15:22:03.535796Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-10T15:22:14.644Z"}}], "cna": {"title": "Hippoo Mobile App for WooCommerce <= 1.7.1 - Unauthenticated Arbitrary File Read", "credits": [{"lang": "en", "type": "finder", "value": "Moose Love"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "hippooo", "product": "Hippoo Mobile App for WooCommerce", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.7.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-07T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-11-17T22:19:26.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-09T16:23:50.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/06900b4b-6607-4b25-b4bc-2e2906160421?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3412701/"}], "descriptions": [{"lang": "en", "value": "The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.7.1 via the template_redirect() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-12-10T04:24:13.033Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13339", "state": "PUBLISHED", "dateUpdated": "2025-12-10T15:22:18.527Z", "dateReserved": "2025-11-17T22:04:06.883Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-10T04:24:13.033Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.7.1 via the template_redirect() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information."}], "id": "CVE-2025-13339", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-10T05:16:02.200", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3412701/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/06900b4b-6607-4b25-b4bc-2e2906160421?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T16:20:30.862330+00:00", "value": {"mitigation_remediation": ["Update the Hippooo Mobile App for WooCommerce plugin to version 1.7.2 or later in order to eliminate the path traversal flaw.", "If an update is not immediately possible, disable the plugin to prevent the vulnerability from being exploitable.", "Implement file system permissions that restrict the web server\u2019s access to irrelevant configuration files, thereby reducing the potential impact of a path traversal attempt."], "summary": {"action": "Patch Immediately", "impact": "Unauthenticated Arbitrary File Read"}, "threat_synthesis": {"affected_systems": "WordPress sites using the Hippooo Mobile App for WooCommerce plugin, specifically versions 1.7.1 and earlier. All installs of the plugin found in the WordPress plugin repository that match these versions are affected.", "description_and_impact": "The Hippoo Mobile App for WooCommerce plugin is susceptible to a path traversal flaw in all releases up to and including 1.7.1. The flaw lies within the template_redirect() function, enabling attackers who need not authenticate to obtain the contents of any file on the server. This can expose private configuration files, credentials, or other sensitive data, thereby compromising confidentiality and potentially allowing further exploitation.", "risk_and_exploitability": "With a CVSS of 7.5 the vulnerability is classified as high severity, and the EPSS score of less than 1% indicates that exploitation is currently unlikely but still possible. The vulnerability is not listed in CISA\u2019s KEV catalog. The attack vector is likely a web request to a directed URL that triggers template_redirect; no authentication is required. Overall, the risk is moderate to high, especially for sites handling sensitive information."}}}}, "created": "2025-12-10T17:48:52.886370+00:00", "updated": "2026-04-22T16:30:22.138289+00:00", "vendors": ["hippooo", "hippooo$PRODUCT$hippoo_mobile_app_for_woocommerce", "woocommerce", "woocommerce$PRODUCT$woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}