CVE-2025-12655 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the Hippoo Mobile App for WooCommerce plugin for WordPress. The root cause is the REST API endpoint `/wp-json/hippoo/v1/wc/token/save_callback/{token_id}` being registered with a permission callback set to `__return_true`, effectively disabling any authorization checks. This misconfiguration allows unauthenticated attackers to invoke the endpoint and write arbitrary JSON content to the server's upload directory, which is publicly accessible. Since the upload directory is exposed, attackers can potentially upload malicious files disguised as JSON, which could be leveraged for further attacks such as injecting malicious scripts or webshells, leading to integrity compromise of the website. The vulnerability affects all versions up to and including 1.7.1 of the plugin. The CVSS 3.1 base score is 5.3 (medium), reflecting network attack vector, low complexity, no privileges required, no user interaction, and impact limited to integrity. No patches or exploit code are currently publicly available, but the vulnerability's nature makes it relatively easy to exploit. The plugin is used in WooCommerce-based e-commerce sites, which are prevalent in Europe, increasing the potential attack surface. The vulnerability does not directly affect confidentiality or availability but poses a significant risk to data integrity and site trustworthiness.

For European organizations, especially e-commerce businesses relying on WooCommerce and the Hippoo Mobile App plugin, this vulnerability can lead to unauthorized modification of website content or injection of malicious payloads. This compromises the integrity of the web platform, potentially damaging brand reputation and customer trust. Attackers could use the arbitrary file write to deploy webshells, facilitating further attacks such as data theft, site defacement, or pivoting within the network. Since WooCommerce powers a significant portion of European online stores, the risk extends to financial losses, regulatory non-compliance (e.g., GDPR if customer data is indirectly affected), and operational disruptions. The vulnerability's exploitation does not require authentication or user interaction, increasing the likelihood of automated attacks. Organizations with limited security monitoring or outdated plugins are particularly vulnerable. The impact is more pronounced in countries with large e-commerce markets and high WooCommerce adoption, where attackers may find more lucrative targets.

1. Immediately update the Hippoo Mobile App for WooCommerce plugin to a version that addresses this vulnerability once available. 2. In the absence of an official patch, restrict access to the vulnerable REST API endpoint by implementing web application firewall (WAF) rules that block unauthenticated requests to `/wp-json/hippoo/v1/wc/token/save_callback/*`. 3. Harden REST API permissions by customizing the permission_callback to enforce proper authorization checks, ensuring only authenticated and authorized users can access sensitive endpoints. 4. Monitor the upload directories for unusual or unexpected JSON files and remove any suspicious files promptly. 5. Employ file integrity monitoring to detect unauthorized changes to web-accessible directories. 6. Limit the permissions of the web server user to prevent execution of uploaded files and restrict write access to only necessary directories. 7. Conduct regular security audits and vulnerability scans focusing on WordPress plugins and REST API endpoints. 8. Educate development and operations teams about secure plugin configuration and the risks of exposing REST API endpoints without proper authorization.