Hippoo Mobile App for WooCommerce Path Traversal Vulnerability Allowing Unauthenticated Arbitrary File Read
Vulnerability
A path traversal vulnerability has been identified in the Hippoo Mobile App for WooCommerce plugin for WordPress, affecting all versions through 1.7.1. The vulnerability arises in the template_redirect() function, where unauthenticated attackers can exploit the path traversal issue to read arbitrary files on the server. This could potentially lead to the exposure of sensitive information.
Impact
Exploitation of this vulnerability allows for unauthenticated arbitrary file read on the server, which can be used to access sensitive information.
Reproduction
The vulnerability can be reproduced by sending a request to the WordPress site with the Hippoo Mobile App for WooCommerce plugin installed, targeting the template_redirect() function. The request can include a crafted path that traverses directories to access arbitrary files on the server.
Remediation
Users are advised to update the Hippoo Mobile App for WooCommerce plugin to version 1.7.2 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.