CVE-2025-12655
📋 TL;DR
This vulnerability allows unauthenticated attackers to write arbitrary JSON files to the server's publicly accessible upload directory via a misconfigured REST API endpoint in the Hippoo Mobile App for WooCommerce WordPress plugin. Any WordPress site running the vulnerable plugin version is affected. The issue stems from missing authorization checks that grant public access to a file-writing function.
💻 Affected Systems
- Hippoo Mobile App for WooCommerce WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could write malicious JSON files containing web shells or other payloads to the upload directory, potentially leading to remote code execution, data theft, or complete site compromise.
Likely Case
Attackers will write arbitrary JSON files to the upload directory, which could be used for defacement, storing malicious data, or as a stepping stone for further attacks.
If Mitigated
With proper file permissions and web server configuration, the impact is limited to unauthorized file creation in the uploads folder without execution capabilities.
🎯 Exploit Status
The vulnerability is straightforward to exploit with simple HTTP POST requests to the vulnerable endpoint. No authentication or special conditions required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.2 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/hippoo/tags/1.7.2
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'Hippoo Mobile App for WooCommerce'
4. Click 'Update Now' if update is available
5. Alternatively, download version 1.7.2+ from WordPress.org and manually replace plugin files
🔧 Temporary Workarounds
Disable vulnerable REST endpoint
allRemove or restrict access to the vulnerable REST API endpoint via .htaccess or web server configuration
# Add to .htaccess
RewriteRule ^wp-json/hippoo/v1/wc/token/save_callback/ - [F,L]
Deactivate plugin
linuxTemporarily disable the Hippoo plugin until patched
wp plugin deactivate hippoo
🧯 If You Can't Patch
- Immediately deactivate the Hippoo Mobile App for WooCommerce plugin
- Implement web application firewall rules to block requests to /wp-json/hippoo/v1/wc/token/save_callback/
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Hippoo Mobile App for WooCommerce. If version is 1.7.1 or lower, you are vulnerable.Check Version:
wp plugin list --name=hippoo --field=versionVerify Fix Applied:
After updating, verify plugin version is 1.7.2 or higher. Test the endpoint with unauthenticated POST request - should return 401/403.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /wp-json/hippoo/v1/wc/token/save_callback/ from unauthenticated users
- Unusual file creation in wp-content/uploads/hippoo/ directory
Network Indicators:
- POST requests to the vulnerable endpoint without authentication headers
- JSON file uploads to unexpected locations
SIEM Query:
source="web_logs" AND uri="/wp-json/hippoo/v1/wc/token/save_callback/" AND http_method="POST" AND NOT user_agent="WordPress/*"🔗 References
- https://plugins.trac.wordpress.org/browser/hippoo/tags/1.6.1/app/utils.php#L1
- https://plugins.trac.wordpress.org/browser/hippoo/tags/1.6.1/app/web_api.php#L117
- https://plugins.trac.wordpress.org/browser/hippoo/tags/1.6.1/app/web_api.php#L45
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d34701a0-c745-441c-8d6c-7befc877f8d0?source=cve
