CVE Catalog

CVE-2022-50972

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.63%

45th percentile — higher than 45% of all known CVEs

Summary

WooCommerce version 7.1.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary PHP code by injecting shell commands through the product-type parameter.

Risk Assessment

Attackers can send requests to the class-wc-meta-box-product-images.php endpoint with unsanitized product-type values, allowing them to write malicious PHP files to the web root.

Recommendation

It is recommended to update WooCommerce to the latest version to mitigate this vulnerability and implement additional security measures such as input validation.

Original NVD description (English source)

WooCommerce 7.1.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary PHP code by injecting shell commands through the product-type parameter. Attackers can send requests to the class-wc-meta-box-product-images.php endpoint with unsanitized product-type values to write malicious PHP files to the web root.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS