Security Advisory - Published 2026-06-12 - WordPress

Hippoo WooCommerce CVE-2026-10580 and June plugin self-check

If a WooCommerce store has Hippoo Mobile App for WooCommerce installed, treat this as an admin-access review, not just a plugin update. CVE-2026-10580 affects Hippoo through 1.9.4 and is reported as an unauthenticated authentication bypass. Patch first, then check WordPress users, WooCommerce settings, and mobile app API activity.

Defensive scope: this page covers plugin inventory, version checks, logs, admin review, and safe update steps. It does not include exploit payloads, unauthorized scanning steps, or instructions for taking over accounts.

Plugin checklist

CVEPluginAffected throughWhat to review
CVE-2026-10580Hippoo Mobile App for WooCommerce1.9.4Administrators, password reset history, REST API activity, WooCommerce payment settings.
CVE-2026-49060Hippoo Mobile App for WooCommerce1.9.4Admin/shop-manager changes, mobile app API activity, order settings.
CVE-2026-39494Product Filter by WBW3.1.2Filter traffic, database errors, unusual product queries.
CVE-2026-42647JoomSport5.7.7League-management traffic, editor activity, database logs.
CVE-2026-42653SliceWP1.2.6Affiliate dashboard activity, payout settings, admin sessions.

Version checks

wp plugin list | egrep 'hippoo|woo-product-filter|joomsport|slicewp'
wp user list --role=administrator
wp user list --role=shop_manager

For Hippoo, Wordfence and Patchstack list 1.9.5 as the patched version for CVE-2026-10580. If you cannot run WP-CLI, check WordPress admin > Plugins and export a screenshot of plugin versions before updating. Keep a database backup before changing store plugins.

Logs and compromise checks

  • Unexpected administrator, shop manager, affiliate manager, or editor accounts.
  • Recent password resets or account email changes that nobody on the team requested.
  • WooCommerce order setting changes, payment setting changes, or new API keys.
  • Database errors around product filtering, league pages, affiliate dashboards, or AJAX routes.
  • New plugin/theme files, unknown mu-plugins, or PHP files in uploads.

Safe fix

  • Update Hippoo Mobile App for WooCommerce to 1.9.5 or newer.
  • If the update is not available in your dashboard, disable the plugin until the site owner can patch it.
  • Rotate administrator passwords and invalidate sessions if any user or payment setting looks changed.
  • Export WooCommerce settings and recent admin activity before cleanup so you can compare what changed.

Ping7 repair path

Ping7 can handle plugin version checks, emergency updates, admin-account review, WooCommerce API review, and cleanup if a store looks changed. Start from CVE Repair if the site processes payments or customer data.

References