2025-12-12 06:32:58
Wordfence
PUBLISHED
The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to arbitrary file write via a missing authorization check in all versions up to, and including, 1.7.1. This is due to the REST API endpoint `/wp-json/hippoo/v1/wc/token/save_callback/{token_id}` being registered with `permission_callback => __return_true`, which allows unauthenticated access. This makes it possible for unauthenticated attackers to write arbitrary JSON content to the servers publicly accessible upload directory via the vulnerable endpoint.