The Hippoo Mobile App for WooCommerce plugin suffers from an improper authorization vulnerability (CWE-285) caused by a logic conflation in HippooPermissions::get_user_permissions(). This function returns a null sentinel value for both administrators and unauthenticated visitors, which HippooPermissions::has_role_access() interprets as full administrator access. Consequently, the permission callback for all REST routes cloned under /wc-hippoo/v1/ext/ is set to always allow access (__return_true). The pre-dispatch guard block_unauthorized_access() fails to block unauthenticated users, enabling attackers to invoke core REST endpoints without credentials. Attackers can send POST requests to endpoints like /wc-hippoo/v1/ext/wp/v2/users/<id> with a JSON body containing a new password, effectively resetting any user's password and gaining administrative control.

An unauthenticated attacker can bypass authentication and authorization controls to gain full administrative privileges on affected WordPress sites using the vulnerable plugin. This includes the ability to reset passwords for any user, including administrators, leading to complete site compromise. The vulnerability has a CVSS 3.1 base score of 9.8 (Critical), reflecting its high impact on confidentiality, integrity, and availability. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, it is recommended to disable or remove the Hippoo Mobile App for WooCommerce plugin to prevent exploitation. Monitor vendor channels for updates and apply any official patches promptly once available.