CVE-2022-50972: WooCommerce 7.1.0 Remote Code Execution via class-wc-meta-box-product-images.php
WooCommerce 7.1.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary PHP code by injecting shell commands through the product-type parameter. Attackers can send requests to the class-wc-meta-box-product-images.php endpoint with unsanitized product-type values to write malicious PHP files to the web root.
Security readout for executives and security teams
Plain-English summary
This CVE describes a critical remote code execution issue in WooCommerce 7.1.0. A vulnerable store could let an unauthenticated attacker run PHP code on the web server, potentially taking over the site and customer-facing commerce functions.
Executive priority
Treat this as urgent for any ecommerce property using WooCommerce 7.1.0. Successful compromise could affect site integrity, customer trust, and transaction availability. If no 7.1.0 deployment exists, priority drops substantially.
Technical view
The supplied record describes CWE-94 in WooCommerce 7.1.0, involving unsanitized product-type input to class-wc-meta-box-product-images.php that can lead to arbitrary PHP file creation in the web root. CVSS is 9.8 with network access, low complexity, no privileges, and no user interaction.
Likely exposure
Exposure appears limited to WordPress sites running WooCommerce 7.1.0. The source bundle does not identify other affected versions, hosting requirements, or whether authentication controls alter reachability in real deployments.
Exploitation context
An ExploitDB reference is listed, so public exploit material exists. The source bundle says KEV is false and provides no evidence of active exploitation in the wild.
Researcher notes
Evidence is strong for a critical RCE claim against WooCommerce 7.1.0, but incomplete for patch lineage, real-world exploitation, and affected configuration details. Avoid expanding scope beyond the named version without vendor confirmation.
Mitigation direction
Inventory all WordPress sites for WooCommerce version 7.1.0.
Prioritize upgrading away from WooCommerce 7.1.0 using official vendor guidance.
Review vendor advisories before assuming a specific fixed version.
Restrict unnecessary public exposure to administrative PHP endpoints where feasible.
Inspect web roots for unexpected PHP files after exposure is found.
Validation and detection
Confirm installed WooCommerce versions from WordPress administration or asset inventory.
Check whether any production site still runs WooCommerce 7.1.0.
Review web server logs for unusual requests to the named PHP endpoint.
Look for unexpected PHP files in writable web directories.
Verify remediation against official WooCommerce or WordPress plugin guidance.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-94: Code execution behavior lookup
Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
2CVSS vectors
3Timeline events
1ADP providers
4Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: yesTechnical Impact: total
CVSS vector scores
2 official scores
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-94 · source CWE mapping
Improper Control of Generation of Code ('Code Injection')
Improper Control of Generation of Code ('Code Injection') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.