Security Advisory - Published 2026-06-12 - WordPress
Hippoo WooCommerce CVE-2026-10580 and June plugin self-check
If a WooCommerce store has Hippoo Mobile App for WooCommerce installed, treat this as an admin-access review, not just a plugin update. CVE-2026-10580 affects Hippoo through 1.9.4 and is reported as an unauthenticated authentication bypass. Patch first, then check WordPress users, WooCommerce settings, and mobile app API activity.
Plugin checklist
| CVE | Plugin | Affected through | What to review |
|---|---|---|---|
| CVE-2026-10580 | Hippoo Mobile App for WooCommerce | 1.9.4 | Administrators, password reset history, REST API activity, WooCommerce payment settings. |
| CVE-2026-49060 | Hippoo Mobile App for WooCommerce | 1.9.4 | Admin/shop-manager changes, mobile app API activity, order settings. |
| CVE-2026-39494 | Product Filter by WBW | 3.1.2 | Filter traffic, database errors, unusual product queries. |
| CVE-2026-42647 | JoomSport | 5.7.7 | League-management traffic, editor activity, database logs. |
| CVE-2026-42653 | SliceWP | 1.2.6 | Affiliate dashboard activity, payout settings, admin sessions. |
Version checks
wp plugin list | egrep 'hippoo|woo-product-filter|joomsport|slicewp'
wp user list --role=administrator
wp user list --role=shop_manager For Hippoo, Wordfence and Patchstack list 1.9.5 as the patched version for CVE-2026-10580. If you cannot run WP-CLI, check WordPress admin > Plugins and export a screenshot of plugin versions before updating. Keep a database backup before changing store plugins.
Logs and compromise checks
- Unexpected administrator, shop manager, affiliate manager, or editor accounts.
- Recent password resets or account email changes that nobody on the team requested.
- WooCommerce order setting changes, payment setting changes, or new API keys.
- Database errors around product filtering, league pages, affiliate dashboards, or AJAX routes.
- New plugin/theme files, unknown mu-plugins, or PHP files in uploads.
Safe fix
- Update Hippoo Mobile App for WooCommerce to 1.9.5 or newer.
- If the update is not available in your dashboard, disable the plugin until the site owner can patch it.
- Rotate administrator passwords and invalidate sessions if any user or payment setting looks changed.
- Export WooCommerce settings and recent admin activity before cleanup so you can compare what changed.
Ping7 repair path
Ping7 can handle plugin version checks, emergency updates, admin-account review, WooCommerce API review, and cleanup if a store looks changed. Start from CVE Repair if the site processes payments or customer data.