Cyber Resilience

CVE-2026-10580

CriticalUpdated

Published: 05 June 2026

Published
05 June 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0284 84.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-10580 is a critical-severity Improper Authorization (CWE-285) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to authentication bypass leading to administrator account takeover in all versions through 1.9.4. The root cause is a logic error in HippooPermissions::get_user_permissions() that returns an identical null sentinel for both administrators and unauthenticated visitors; HippooPermissions::has_role_access() then treats this value as full administrative access, allowing override_extension_permission_callback() to attach __return_true to every REST route re-registered under /wc-hippoo/v1/ext/ by HippooControllerWithAuth::re_register_external_routes(). The block_unauthorized_access() pre-dispatch check fails for the same reason, exposing all cloned WordPress and WooCommerce endpoints.

Unauthenticated attackers can therefore invoke any core REST endpoint without credentials. In particular, they can issue a POST request to /wc-hippoo/v1/ext/wp/v2/users/<id> containing a JSON body that sets a new password, thereby resetting the administrator account and obtaining complete control of the WordPress site. The flaw carries a CVSS 3.1 score of 9.8 and is tracked under CWE-285.

No vendor advisory or patch information is supplied in the available references, which consist solely of source-code links. The associated EPSS score remains flat at 0.0226 with no observed rise after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up to and including 1.9.4. This is due to a logic conflation in HippooPermissions::get_user_permissions(), which returns the same…

more

null sentinel for both administrators and unauthenticated visitors — a value that HippooPermissions::has_role_access() unconditionally interprets as full administrator access — causing override_extension_permission_callback() to assign __return_true as the permission callback for every WordPress and WooCommerce REST route cloned under /wc-hippoo/v1/ext/ by HippooControllerWithAuth::re_register_external_routes(), while the block_unauthorized_access() pre-dispatch guard fails to block unauthenticated users for the same reason. This makes it possible for unauthenticated attackers to invoke any core REST endpoint without credentials — most critically, sending a POST request to /wc-hippoo/v1/ext/wp/v2/users/<id> with a {"password":"<new_password>"} body to reset the password of any WordPress user, including the site administrator, and gain full administrative control of the site.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Auth bypass in public WordPress plugin directly enables remote exploitation of exposed REST endpoints for admin takeover.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization decisions on every REST route; the CVE is a logic error inside HippooPermissions::has_role_access() that grants admin rights to unauthenticated callers.

prevent

Requires that only the minimum privileges needed are granted; the flaw unconditionally maps the null sentinel to full administrator rights on /wc-hippoo/v1/ext/ endpoints.

prevent

Mandates identification and authentication of users before allowing access to privileged functions such as password-reset operations on wp/v2/users.

References