Plattform
wordpress
Komponente
hippoo
Behoben in
1.7.2
CVE-2025-13339 describes an Arbitrary File Access vulnerability discovered in the Hippoo Mobile App for WooCommerce WordPress plugin. This vulnerability allows unauthenticated attackers to read arbitrary files on the server, potentially exposing sensitive information like configuration files or database credentials. The vulnerability affects versions 0.0.0 through 1.7.1, and a patch has been released in version 1.7.2.
The impact of this vulnerability is significant. An attacker exploiting this flaw can bypass access controls and directly read files on the server. This could lead to the exposure of sensitive data such as database credentials, API keys, configuration files, or even source code. Depending on the files accessible, an attacker could gain a deeper understanding of the application's architecture and potentially identify further vulnerabilities. The ability to read arbitrary files represents a serious compromise of system integrity and confidentiality.
This vulnerability was publicly disclosed on December 10, 2025. While no active exploitation campaigns have been confirmed, the ease of exploitation and the potential for data exposure make this a high-priority vulnerability. The vulnerability's nature aligns with common path traversal exploits, suggesting potential for automated scanning and exploitation. No KEV listing is currently available.
Websites utilizing the Hippoo Mobile App for WooCommerce plugin, particularly those running older versions (0.0.0–1.7.1), are at significant risk. Shared hosting environments are especially vulnerable as they often have limited access controls and a higher concentration of WordPress installations.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/hippoo-mobile-app-for-woocommerce/*• generic web:
curl -I 'https://your-wordpress-site.com/wp-content/plugins/hippoo-mobile-app-for-woocommerce/../../../../etc/passwd' # Check for file disclosure• wordpress / composer / npm:
wp plugin list --status=active | grep 'hippoo-mobile-app-for-woocommerce'• wordpress / composer / npm:
wp plugin update hippoo-mobile-app-for-woocommercedisclosure
Exploit-Status
EPSS
0.07% (20% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to immediately upgrade the Hippoo Mobile App for WooCommerce plugin to version 1.7.2 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a temporary workaround by restricting file access permissions on the server. This can be achieved by configuring the web server (e.g., Apache, Nginx) to deny access to sensitive directories. Additionally, review the plugin's code for any other potential vulnerabilities. After upgrading, verify the fix by attempting to access a known sensitive file via a web request; access should be denied.
Aktualisieren Sie auf Version 1.7.2 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-13339 is a HIGH severity vulnerability allowing unauthenticated attackers to read arbitrary files on a WordPress server due to insufficient input validation in the Hippoo Mobile App for WooCommerce plugin.
You are affected if you are using Hippoo Mobile App for WooCommerce versions 0.0.0 through 1.7.1. Upgrade to version 1.7.2 or later to resolve the issue.
Upgrade the Hippoo Mobile App for WooCommerce plugin to version 1.7.2 or later. As a temporary workaround, implement a WAF rule to block suspicious path traversal attempts.
While no public exploits are currently known, the ease of exploitation suggests a medium probability of exploitation. Continuous monitoring is recommended.
Refer to the official Hippoo Mobile App website and WordPress plugin repository for updates and advisories related to CVE-2025-13339.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.