CVE-2026-10580
Published: 05 June 2026
Summary
CVE-2026-10580 is a critical-severity Improper Authorization (CWE-285) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to authentication bypass leading to administrator account takeover in all versions through 1.9.4. The root cause is a logic error in HippooPermissions::get_user_permissions() that returns an identical null sentinel for both administrators and unauthenticated visitors; HippooPermissions::has_role_access() then treats this value as full administrative access, allowing override_extension_permission_callback() to attach __return_true to every REST route re-registered under /wc-hippoo/v1/ext/ by HippooControllerWithAuth::re_register_external_routes(). The block_unauthorized_access() pre-dispatch check fails for the same reason, exposing all cloned WordPress and WooCommerce endpoints.
Unauthenticated attackers can therefore invoke any core REST endpoint without credentials. In particular, they can issue a POST request to /wc-hippoo/v1/ext/wp/v2/users/<id> containing a JSON body that sets a new password, thereby resetting the administrator account and obtaining complete control of the WordPress site. The flaw carries a CVSS 3.1 score of 9.8 and is tracked under CWE-285.
No vendor advisory or patch information is supplied in the available references, which consist solely of source-code links. The associated EPSS score remains flat at 0.0226 with no observed rise after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-34887
Vulnerability details
The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up to and including 1.9.4. This is due to a logic conflation in HippooPermissions::get_user_permissions(), which returns the same…
more
null sentinel for both administrators and unauthenticated visitors — a value that HippooPermissions::has_role_access() unconditionally interprets as full administrator access — causing override_extension_permission_callback() to assign __return_true as the permission callback for every WordPress and WooCommerce REST route cloned under /wc-hippoo/v1/ext/ by HippooControllerWithAuth::re_register_external_routes(), while the block_unauthorized_access() pre-dispatch guard fails to block unauthenticated users for the same reason. This makes it possible for unauthenticated attackers to invoke any core REST endpoint without credentials — most critically, sending a POST request to /wc-hippoo/v1/ext/wp/v2/users/<id> with a {"password":"<new_password>"} body to reset the password of any WordPress user, including the site administrator, and gain full administrative control of the site.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Auth bypass in public WordPress plugin directly enables remote exploitation of exposed REST endpoints for admin takeover.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization decisions on every REST route; the CVE is a logic error inside HippooPermissions::has_role_access() that grants admin rights to unauthenticated callers.
Requires that only the minimum privileges needed are granted; the flaw unconditionally maps the null sentinel to full administrator rights on /wc-hippoo/v1/ext/ endpoints.
Mandates identification and authentication of users before allowing access to privileged functions such as password-reset operations on wp/v2/users.