PatchSiren cyber security CVE debrief

CVE-2026-10580 hippooo CVE debrief

CVE-2026-10580 is a critical vulnerability in the Hippoo Mobile App for WooCommerce plugin for WordPress. The plugin is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up to and including 1.9.4. This issue arises from a logic conflation in `HippooPermissions::get_user_permissions()`, which returns the same null sentinel for both administrators and unauthenticated visitors. This value is unconditionally interpreted as full administrator access by `HippooPermissions::has_role_access()`, causing `override_extension_permission_callback()` to assign `__return_true` as the permission callback for every WordPress and WooCommerce REST route cloned under `/wc-hippoo/v1/ext/` by `HippooControllerWithAuth::re_register_external_routes()`. Meanwhile, the `block_unauthorized_access()` pre-dispatch guard fails to block unauthenticated users for the same reason. This makes it possible for unauthenticated attackers to invoke any core REST endpoint without credentials. Most critically, sending a POST request to `/wc-hippoo/v1/ext/wp/v2/users/<id>` with a `{