Incorrect Privilege Assignment vulnerability in Hippoo Mobile App for WooCommerce allows Privilege Escalation. This issue affects Hippoo Mobile App for WooCommerce: from n/a through 1.9.4.
The vulnerability classified as CWE-266 (Incorrect Privilege Assignment) involves improper privilege assignment in the plugin's logic. An attacker can, without possessing any credentials, send a properly crafted request to the vulnerable endpoint and obtain a higher level of access than intended. The mechanism enables privilege escalation, which in a WordPress environment can mean taking over the administrator role.
An attacker can obtain elevated privileges in the WordPress application, potentially taking full control of the website, including access to WooCommerce store customer data and the ability to modify system configuration.
The Hippoo Mobile App for WooCommerce plugin should be updated to a version higher than 1.9.4. Details regarding the available patch can be found in the manufacturer's references and in the Patchstack database.
WordPress plugin Hippoo Mobile App for WooCommerce in versions from its inception through 1.9.4 inclusive.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H