Platform
wordpress
Component
hippoo
Fixed in
1.7.2
CVE-2025-13339 describes an Arbitrary File Access vulnerability discovered in the Hippoo Mobile App for WooCommerce WordPress plugin. This flaw allows unauthenticated attackers to read sensitive files on the server due to insufficient input validation within the template_redirect() function. The vulnerability affects versions from 0.0.0 up to and including 1.7.1, and a patch is available in version 1.7.2.
The impact of this vulnerability is significant. An attacker can exploit it to read any file accessible to the web server process. This includes configuration files, database credentials, source code, and potentially even user data. Successful exploitation could lead to complete compromise of the WordPress site and its associated data. While the vulnerability requires no authentication, the ease of exploitation makes it a high-priority concern. The ability to read arbitrary files provides a pathway for attackers to gain a deeper understanding of the system's architecture and identify further vulnerabilities.
CVE-2025-13339 was publicly disclosed on December 10, 2025. While no public exploits are currently known, the ease of exploitation and the potential for sensitive data exposure suggest a medium probability of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. The path traversal nature of this vulnerability is a common attack vector, and similar vulnerabilities have been exploited in the past to gain unauthorized access to systems.
Exploit Status
EPSS
0.07% (20% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-13339 is to immediately upgrade the Hippoo Mobile App for WooCommerce plugin to version 1.7.2 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious path traversal sequences (e.g., ../). Carefully review the plugin's code for similar vulnerabilities and apply stricter input validation measures. Monitor WordPress access logs for unusual file access attempts, particularly those involving path traversal patterns.
Update to version 1.7.2, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-13339 is a HIGH severity vulnerability allowing unauthenticated attackers to read arbitrary files on a WordPress server due to insufficient input validation in the Hippoo Mobile App for WooCommerce plugin.
You are affected if you are using Hippoo Mobile App for WooCommerce versions 0.0.0 through 1.7.1. Upgrade to version 1.7.2 or later to resolve the issue.
Upgrade the Hippoo Mobile App for WooCommerce plugin to version 1.7.2 or later. As a temporary workaround, implement a WAF rule to block suspicious path traversal attempts.
While no public exploits are currently known, the ease of exploitation suggests a medium probability of exploitation. Continuous monitoring is recommended.
Refer to the official Hippoo Mobile App website and WordPress plugin repository for updates and advisories related to CVE-2025-13339.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.