CVE-2022-50972
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk45th percentile — higher than 45% of all known CVEs
Summary
WooCommerce version 7.1.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary PHP code by injecting shell commands through the product-type parameter.
Risk Assessment
Attackers can send requests to the class-wc-meta-box-product-images.php endpoint with unsanitized product-type values, allowing them to write malicious PHP files to the web root.
Recommendation
It is recommended to update WooCommerce to the latest version to mitigate this vulnerability and implement additional security measures such as input validation.
Original NVD description (English source)
WooCommerce 7.1.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary PHP code by injecting shell commands through the product-type parameter. Attackers can send requests to the class-wc-meta-box-product-images.php endpoint with unsanitized product-type values to write malicious PHP files to the web root.

