Nuclei template: CVE-2026-10580.yaml

Research page generated from configured evidence sources. Treat this as an analyst workbench: facts are sourced, gaps are labelled, and low-confidence chatter is separated from confirmed evidence.

Executive judgement

• Operational lane: patch priority
• Priority score: 73
• Confidence: high
• Exploit status: poc — Public proof-of-concept signal observed; treat as elevated patch priority, but do not assume mass exploitation without corroboration.
• Urgent publishable: yes
• CISA KEV: No CISA KEV match captured in configured source data at generation time.
• Published/observed: 2026-06-05
• EPSS score: 0.0179 (75th percentile)

What happened

The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up to and including 1.9.4. This is due to a logic conflation in HippooPermissions::get_user_permissions(), which returns the same null sentinel for both administrators and unauthenticated visitors — a value that HippooPermissions::has_role_access() unconditionally interprets as full administrator access — causing override_extension_permission_callback() to assign __return_true as the permission callback for every WordPress and WooCommerce REST route cloned under /wc-hippoo/v1/ext/ by HippooControllerWithAuth::re_register_external_routes(), while the block_unauthorized_access() pre-dispatch guard fails to block unauthenticated users for the same reason. This makes it possible for unauthenticated attackers to invoke any core REST endpoint without credentials — most critically, sending a POST request to /wc-hippoo/v1/ext/wp/v2/users/ with a {“password”:"<new_password>"} body to reset the password of any WordPress user, including the site administrator, and gain full administrative control of the site.

Why it matters

• The item was promoted because the pipeline observed: priority score 73, exploit status poc, confidence high.
• It has a CVE identifier, so it can be tracked across NVD/CVE.org/vendor/exploit sources.
• Public PoC language was detected, so defensive teams should assume exploit development will accelerate.

Evidence collected

• NVD: nvd
• NUCLEI: Nuclei template: CVE-2026-10580.yaml

Exploitation and PoC status

• Current automated assessment: Public proof-of-concept signal observed; treat as elevated patch priority, but do not assume mass exploitation without corroboration.
• Public exploit/PoC: PoC signal present in configured sources; validate via research links below before taking operational claims at face value.
• Exploited in the wild: Not confirmed by configured sources at generation time.
• Ransomware association: No ransomware association captured at generation time.

Publication / validation flags

• No validation flags from configured gates.

Dark web / low-confidence chatter

• No matching OTX/URLhaus/MalwareBazaar item found in configured low-confidence feeds at generation time.
• This is not proof of absence. It means the current automated sources did not capture relevant underground or malware-feed chatter.

Defender actions

• Update Hippoo plugin beyond version 1.9.4
• Scan with Nuclei CVE-2026-10580.yaml template
• Review HippooPermissions::has_role_access() calls

Analyst note

No KEV listing or active signals exist, yet the public PoC lowers the bar for exploitation of the described permission logic flaw. Organizations running the Hippoo plugin should treat detection and patching as priority. Watch for similar null-sentinel role-check patterns in other WordPress extensions.

Defender / Sentinel hunting queries

MDE exposure: devices with CVE-2026-10580

Find devices where Microsoft Defender Vulnerability Management reports the CVE.

DeviceTvmSoftwareVulnerabilities
| where CveId == "CVE-2026-10580"
| project DeviceName, OSPlatform, SoftwareVendor, SoftwareName, SoftwareVersion, VulnerabilitySeverityLevel, RecommendedSecurityUpdate, LastSeenTime
| order by VulnerabilitySeverityLevel desc, LastSeenTime desc

MDE endpoint behaviour hunt

General endpoint hunt for named tooling, malware, or exploit artefacts from the research item. Tune terms with vendor IOCs.

DeviceProcessEvents
| where Timestamp > ago(14d)
| where ProcessCommandLine has "Nuclei" or FileName has "Nuclei" or FolderPath has "Nuclei" or ProcessCommandLine has "template" or FileName has "template" or FolderPath has "template" or ProcessCommandLine has "Hippoo" or FileName has "Hippoo" or FolderPath has "Hippoo" or ProcessCommandLine has "Mobile" or FileName has "Mobile" or FolderPath has "Mobile" or ProcessCommandLine has "WooCommerce" or FileName has "WooCommerce" or FolderPath has "WooCommerce"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc

MDE file artefact hunt

Hunt for suspicious files dropped or modified during exploitation of this vulnerability.

DeviceFileEvents
| where Timestamp > ago(14d)
| where FileName has "Nuclei" or FolderPath has "Nuclei" or InitiatingProcessCommandLine has "Nuclei" or FileName has "template" or FolderPath has "template" or InitiatingProcessCommandLine has "template" or FileName has "Hippoo" or FolderPath has "Hippoo" or InitiatingProcessCommandLine has "Hippoo" or FileName has "Mobile" or FolderPath has "Mobile" or InitiatingProcessCommandLine has "Mobile" or FileName has "WooCommerce" or FolderPath has "WooCommerce" or InitiatingProcessCommandLine has "WooCommerce"
| project Timestamp, DeviceName, FileName, FolderPath, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine, SHA256, FileSize
| order by Timestamp desc

MDE registry persistence and tamper hunt

Hunt for suspicious registry modifications (persistence, service installs, config tampering) linked to this issue.

DeviceRegistryEvents
| where Timestamp > ago(14d)
| where RegistryKey has_any ("Run", "RunOnce", "Services", "Image File Execution", "Winlogon") or RegistryValueName has "Nuclei" or RegistryKey has "Nuclei" or PreviousRegistryValueData has "Nuclei" or RegistryValueName has "template" or RegistryKey has "template" or PreviousRegistryValueData has "template" or RegistryValueName has "Hippoo" or RegistryKey has "Hippoo" or PreviousRegistryValueData has "Hippoo" or RegistryValueName has "Mobile" or RegistryKey has "Mobile" or PreviousRegistryValueData has "Mobile"
| project Timestamp, DeviceName, ActionType, RegistryKey, RegistryValueName, RegistryValueData, PreviousRegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc

Exposure validation ideas

• Search asset inventory for affected vendor/product names and any CVE reference.
• Check internet-facing exposure through approved tools only: Shodan/Censys/GreyNoise links below are research starting points, not proof of exposure.
• Prioritise management interfaces, edge devices, identity/control-plane systems, and OT/ICS assets where relevant.

Detection / hunting ideas

• Review vendor logs for authentication failures, privilege changes, unexpected admin activity, and anomalous management-plane access.
• Search SIEM/EDR telemetry for product-specific process names, network services, and newly published indicators from primary sources.
• Monitor for scanner traffic or nuclei/metasploit module references once public exploit tooling appears.

Research links

• NVD
• CVE.org
• CISA KEV search
• GitHub code/advisory search
• GitHub repository search
• Exploit-DB search
• Packet Storm search
• AlienVault OTX search
• GreyNoise search
• Shodan search
• Censys search

Open questions

• Is there a primary vendor advisory with exact affected versions and fixed versions?
• Has CISA KEV, Shadowserver, GreyNoise, or a trusted vendor confirmed exploitation?
• Are there credible PoC repositories or only secondary reporting mentioning PoC?
• Is there underground/forum/leak-site discussion, or only public reporting?

Generated: 2026-06-18T16:20:07+00:00