CVE-2022-50972NVD

Vulnerability Summary

WooCommerce 7.1.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary PHP code by injecting shell commands through the product-type parameter. Attackers can send requests to the class-wc-meta-box-product-images.php endpoint with unsanitized product-type values to write malicious PHP files to the web root.

Severity Level

CRITICAL(9.8)

Published Date

Jun 20, 2026

Last Modified

Jun 20, 2026

Exploitation Status

No confirmed exploitation yet

EPSS Score (30-Day)

Data Pending

Root Weakness (CWE)

N/A

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

ScopeUnchanged

ConfidentialityHigh

IntegrityHigh

AvailabilityHigh

External References

https://www.exploit-db.com/exploits/51156
https://wordpress.org/plugins/woocommerce
https://www.vulncheck.com/advisories/woocommerce-remote-code-execution-via-class-wc-meta-box-product-images-php