The Hippoo Mobile App for WooCommerce plugin for WordPress suffers from a missing authorization vulnerability (CWE-862) identified as CVE-2025-12655. The root cause is the REST API endpoint `/wp-json/hippoo/v1/wc/token/save_callback/{token_id}` being registered with a permission callback set to `__return_true`, effectively disabling any authorization checks. This allows unauthenticated attackers to invoke this endpoint and write arbitrary JSON content to the server's upload directory, which is publicly accessible. Because the endpoint accepts arbitrary token IDs and content, attackers can craft malicious payloads that may be used to manipulate plugin behavior or plant malicious files. Although the vulnerability does not directly disclose sensitive information or cause denial of service, the ability to write files arbitrarily can undermine the integrity of the affected system and potentially serve as a foothold for further exploitation, such as uploading web shells or injecting malicious scripts. The vulnerability affects all versions up to and including 1.7.1 of the plugin. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The CVSS v3.1 score of 5.3 reflects a medium severity, with network attack vector, no privileges required, no user interaction, and impact limited to integrity. The vulnerability is significant because WooCommerce is widely used globally, and the Hippoo Mobile App plugin is designed to integrate mobile app functionality, making it a critical component for many e-commerce sites.

This vulnerability allows unauthenticated attackers to write arbitrary files to a publicly accessible directory on the server hosting the WordPress site. The primary impact is on the integrity of the system, as attackers can modify or add files that may alter site behavior, inject malicious code, or facilitate further attacks such as remote code execution if combined with other vulnerabilities or misconfigurations. Although confidentiality and availability are not directly affected, the integrity compromise can lead to reputational damage, loss of customer trust, and potential financial losses for e-commerce businesses. Attackers could use this vector to deploy web shells or backdoors, enabling persistent access and further exploitation. The ease of exploitation (no authentication or user interaction required) increases the risk, especially for sites that have not applied mitigations or patches. Organizations relying on this plugin for mobile app integration in WooCommerce stores are at risk of compromise, which could cascade into broader security incidents affecting customer data and business operations.

1. Immediately restrict access to the vulnerable REST API endpoint by implementing custom permission callbacks or access control rules in the WordPress environment to prevent unauthenticated access. 2. Monitor and audit the upload directory for any unauthorized or suspicious files, removing any that appear malicious. 3. Disable or remove the Hippoo Mobile App for WooCommerce plugin if it is not essential to reduce the attack surface. 4. Apply any forthcoming patches or updates from the vendor as soon as they become available. 5. Employ Web Application Firewalls (WAFs) with rules to detect and block suspicious REST API requests targeting the vulnerable endpoint. 6. Harden the WordPress installation by limiting file write permissions to only necessary directories and users. 7. Conduct regular security scans and penetration tests focusing on REST API endpoints to detect similar authorization issues. 8. Educate site administrators on the risks of installing plugins without proper security reviews and encourage timely updates. 9. Implement logging and alerting for unusual API activity to enable rapid incident response. 10. Consider isolating critical e-commerce infrastructure from public-facing components where feasible to limit exposure.