PatchSiren cyber security CVE debrief
CVE-2026-49065 hippooo CVE debrief
CVE-2026-49065 is a high-severity vulnerability (CVSS Score: 8.2) affecting the Hippoo Mobile App for WooCommerce plugin versions <= 1.9.5. This vulnerability is classified as Unauthenticated Broken Access Control. The vulnerability was published on [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-49065) and additional details can be found on [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-49065).
- Vendor
- hippooo
- Product
- Hippoo Mobile App for WooCommerce
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Users of WooCommerce and administrators of WordPress sites utilizing the Hippoo Mobile App for WooCommerce plugin versions <= 1.9.5 should be aware of this vulnerability.
Technical summary
The vulnerability is caused by a broken access control mechanism in the Hippoo Mobile App for WooCommerce plugin. This allows unauthenticated access, potentially leading to unauthorized actions on the affected system.
Defensive priority
High
Recommended defensive actions
- Update the Hippoo Mobile App for WooCommerce plugin to a version greater than 1.9.5.
- Review and restrict access controls for the plugin.
- Monitor for any suspicious activity related to the plugin.
Evidence notes
Evidence suggests that this vulnerability was discovered and reported by Patchstack (see [ref-4](https://patchstack.com/database/wordpress/plugin/hippoo/vulnerability/wordpress-hippoo-mobile-app-for-woocommerce-plugin-1-9-5-broken-access-control-vulnerability?_s_id=cve)).
Official resources
-
CVE-2026-49065 CVE record
CVE.org
-
CVE-2026-49065 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
CVE-2026-49065 was published on 2026-06-15T21:17:19.300Z and modified on 2026-06-15T21:24:32.790Z.