CVE-2022-50972

WooCommerce 7.1.0 Remote Code Execution via class-wc-meta-box-product-images.php

CVSS 9.3 CRITICALEPSS 0.6%CWE-94

WooCommerce 7.1.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary PHP code by injecting shell commands through the product-type parameter. Attackers can send requests to the class-wc-meta-box-product-images.php endpoint with unsanitized product-type values to write malicious PHP files to the web root.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

WooCommerce · WooCommerce

public PoCs found — 1

cve_referencewww.exploit-db.com/exploits/51156unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://wordpress.org/plugins/woocommerce https://www.exploit-db.com/exploits/51156 https://www.vulncheck.com/advisories/woocommerce-remote-code-execution-via-class-wc-meta-box-product-images-php