cleantalk
Vulnerabilities and Security Researches

Hippoo!, CVE-2025-12655

CVE, Research URL

CVE-2025-12655

Home page URL

Security reports for Hippoo!

Application

Hippoo!

Published on
Dec 12, 2025
Research Description
The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to arbitrary file write via a missing authorization check in all versions up to, and including, 1.7.1. This is due to the REST API endpoint `/wp-json/hippoo/v1/wc/token/save_callback/{token_id}` being registered with `permission_callback => '__return_true'`, which allows unauthenticated access. This makes it possible for unauthenticated attackers to write arbitrary JSON content to the server's publicly accessible upload directory via the vulnerable endpoint.
Affected versions
max 1.7.2.
Status
vulnerable
Previous vulnerability researches
Hippoo! (CVE-2025-12655) , Jan 11, 2026
Hippoo! (CVE-2025-13339) , Jan 11, 2026
Hippoo! (CVE-2026-10580) , Jun 08, 2026
New vulnerability
Hippoo! (CVE-2026-10580) , Jun 08, 2026
Simple SEO Slideshow (CVE-2026-8900) , Jun 08, 2026
LearnPress Export Import – WordPress extension for LearnPress (CVE-2026-7565) , Jun 08, 2026
LearnPress Export Import – WordPress extension for LearnPress (CVE-2026-7566) , Jun 08, 2026
Event Monster – Event Management, Tickets Booking, Upcoming Event (CVE-2026-8608) , Jun 08, 2026