CVE-2026-49060

CRITICAL EXPLOITED

WordPress Hippoo Mobile App for WooCommerce plugin <= 1.9.4 - Privilege Escalation vulnerability

Title source: cna

Exploitation Summary

CVE-2026-49060 has been observed exploited in the wild (reported by VulnCheck KEV).

Description

Incorrect Privilege Assignment vulnerability in Hippoo Mobile App for WooCommerce allows Privilege Escalation. This issue affects Hippoo Mobile App for WooCommerce: from n/a through 1.9.4.

References (1)

Core 1

Core References

Vdb Entry vdb-entry

https://patchstack.com/database/wordpress/plugin/hippoo/vulnerability/wordpress-hippoo-mobile-app-for-woocommerce-plugin-1-9-4-privilege-escalation-vulnerability?_s_id=cve

Scores

CVSS v3 9.8

EPSS 0.0046

EPSS Percentile 36.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2026-06-08

CWE

CWE-266

Status published

Products (1)

Hippoo/Hippoo Mobile App for WooCommerce < 1.9.4

Published Jun 11, 2026

Tracked Since Jun 12, 2026