CVE-2025-12655 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Hippoo Mobile App for WooCommerce WordPress plugin. The vulnerability exists because the REST API endpoint `/wp-json/hippoo/v1/wc/token/save_callback/{token_id}` is registered with a permission callback that always returns true (`__return_true`), effectively disabling any authorization checks. This allows unauthenticated attackers to invoke this endpoint and write arbitrary JSON content to the server's upload directory, which is publicly accessible. The vulnerability affects all versions up to and including 1.7.1 of the plugin. The CVSS 3.1 base score is 5.3 (medium severity), reflecting that the attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and impacts integrity (I:L) but not confidentiality or availability. The ability to write arbitrary files can lead to integrity violations, such as injecting malicious payloads or defacing content, potentially facilitating further attacks like webshell deployment or supply chain compromise. No patches or known exploits are currently reported, but the vulnerability is significant due to the lack of authentication and the widespread use of WooCommerce in e-commerce. The plugin’s REST API design flaw is a critical security oversight, emphasizing the need for proper permission callbacks in WordPress REST endpoints to prevent unauthorized access.

For European organizations, this vulnerability poses a moderate risk primarily to the integrity of their e-commerce platforms. Attackers could exploit the missing authorization to write arbitrary JSON files, potentially leading to data manipulation or the introduction of malicious scripts if the upload directory is improperly secured. This could result in defacement, customer trust erosion, or serve as a foothold for further attacks such as privilege escalation or data exfiltration. Although confidentiality and availability are not directly impacted, the integrity compromise could indirectly affect business operations and compliance with data protection regulations like GDPR. The risk is heightened for organizations relying on WooCommerce with the Hippoo Mobile App plugin, especially those with high traffic or sensitive customer data. The absence of known exploits reduces immediate threat but does not eliminate the risk of future attacks. European e-commerce businesses must consider this vulnerability in their risk assessments and incident response planning.

1. Immediately verify if the Hippoo Mobile App for WooCommerce plugin is installed and identify the version in use. 2. Monitor the vendor’s official channels for patches or updates addressing CVE-2025-12655 and apply them promptly once available. 3. Until a patch is released, restrict access to the vulnerable REST API endpoint by implementing web application firewall (WAF) rules that block unauthenticated requests to `/wp-json/hippoo/v1/wc/token/save_callback/*`. 4. Harden the WordPress REST API by enforcing authentication and authorization checks on custom endpoints, potentially by customizing the plugin code to replace `__return_true` with proper permission callbacks. 5. Restrict write permissions on the upload directory to prevent execution of uploaded files and monitor this directory for unexpected file changes or additions. 6. Conduct regular security audits and file integrity monitoring to detect unauthorized modifications. 7. Educate development and operations teams about secure REST API design and the importance of authorization checks. 8. Consider isolating critical e-commerce infrastructure and applying network segmentation to limit exposure. 9. Review and update incident response plans to include scenarios involving unauthorized file writes via REST API endpoints.