Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2022-50972

CVE-2022-50972: WooCommerce 7.1.0 RCE Vulnerability

CVE-2022-50972 is a remote code execution vulnerability in WooCommerce 7.1.0 that enables attackers to execute arbitrary PHP code via the product-type parameter. This article covers technical details, impact, and mitigation.

Published:

CVE-2022-50972 Overview

CVE-2022-50972 is a remote code execution vulnerability affecting WooCommerce 7.1.0, the WordPress e-commerce plugin. The flaw resides in the class-wc-meta-box-product-images.php endpoint, which fails to sanitize the product-type parameter before processing it. Attackers can inject shell commands through this parameter to write arbitrary PHP files into the web root. Successful exploitation grants attackers full code execution on the underlying server. The vulnerability maps to [CWE-94] (Improper Control of Generation of Code) and requires no authentication or user interaction.

Critical Impact

Unauthenticated attackers can execute arbitrary PHP code on WooCommerce 7.1.0 servers, leading to complete site compromise, data theft, and persistent backdoor access.

Affected Products

  • WooCommerce plugin for WordPress, version 7.1.0
  • WordPress sites with the affected WooCommerce release installed
  • Hosting environments running the vulnerable class-wc-meta-box-product-images.php handler

Discovery Timeline

  • 2026-06-20 - CVE-2022-50972 published to the National Vulnerability Database (NVD)
  • 2026-06-22 - Last updated in NVD database

Technical Details for CVE-2022-50972

Vulnerability Analysis

The vulnerability stems from improper input validation within the WooCommerce product image meta box handler. The class-wc-meta-box-product-images.php file processes the product-type parameter from incoming HTTP requests without sanitizing or validating its contents. Attackers can pass shell metacharacters and PHP code through this parameter. The application then uses the tainted value in operations that result in attacker-controlled PHP files being written to the WordPress web root.

Once a malicious PHP file lands in a web-accessible directory, the attacker can request it directly through the browser. This triggers execution under the web server user context. The result is full remote code execution on the host running WooCommerce 7.1.0.

Root Cause

The root cause is missing input sanitization on the product-type request parameter. The handler trusts client-supplied data and incorporates it into file-writing logic. This pattern matches [CWE-94], where untrusted input controls code generation. Standard WordPress nonce checks and capability validation are insufficient to stop the injection because the parameter content itself is unsafe.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker sends a crafted HTTP request to the WooCommerce endpoint that processes product image metadata. The request includes a malicious product-type value containing PHP payload syntax. The server writes the payload into a PHP file under the web root. The attacker then issues a follow-up HTTP request to retrieve and execute the planted file.

A public proof-of-concept is available on Exploit-DB #51156 and the VulnCheck Advisory for WooCommerce RCE, which document the request structure and exploitation steps.

Detection Methods for CVE-2022-50972

Indicators of Compromise

  • HTTP POST requests to WooCommerce admin endpoints containing shell metacharacters or PHP tags inside the product-type parameter
  • New or unexpected .php files appearing in the WordPress web root, wp-content/, or WooCommerce plugin directories
  • Outbound connections from the web server to unfamiliar hosts shortly after suspicious admin-ajax or post.php requests
  • Web server processes (php-fpm, apache2, www-data) spawning shell utilities such as sh, bash, wget, or curl

Detection Strategies

  • Inspect web server access logs for requests referencing class-wc-meta-box-product-images.php with unusual product-type payloads
  • Monitor file integrity on WordPress directories to detect newly created PHP files outside of normal plugin or theme updates
  • Deploy WAF rules that block non-alphanumeric characters in the product-type parameter for WooCommerce requests
  • Hunt for child processes of PHP interpreters that match command execution or download tooling patterns

Monitoring Recommendations

  • Forward WordPress, PHP, and web server logs to a central SIEM for correlation across request, file, and process events
  • Alert on creation of executable PHP files in upload or web-root directories during runtime
  • Track WooCommerce plugin versions across the estate and flag any host still running 7.1.0
  • Baseline normal admin POST traffic volume and alert on spikes targeting WooCommerce product endpoints

How to Mitigate CVE-2022-50972

Immediate Actions Required

  • Upgrade WooCommerce to a release later than 7.1.0 that addresses the unsanitized product-type parameter
  • Audit the WordPress web root and plugin directories for unauthorized PHP files and remove any backdoors
  • Rotate WordPress administrator credentials, database passwords, and API keys after confirming a clean state
  • Restrict access to /wp-admin/ endpoints by IP allowlist where operationally feasible

Patch Information

Update the WooCommerce plugin to the latest stable version available from the WordPress WooCommerce Plugin repository. Review the WooCommerce changelog to confirm the fix for the class-wc-meta-box-product-images.php input handling is present. After patching, validate by replaying the proof-of-concept request from the VulnCheck Advisory for WooCommerce RCE in a test environment.

Workarounds

  • Deploy a web application firewall rule that rejects requests containing PHP tags or shell metacharacters in the product-type parameter
  • Set restrictive filesystem permissions so the web server user cannot write new .php files into the web root
  • Disable the WooCommerce plugin on production sites until the upgrade is applied if patching cannot be performed immediately
  • Enable disable_functions in php.ini to limit dangerous functions such as exec, shell_exec, system, and passthru
bash
# Example php.ini hardening to limit post-exploitation
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
allow_url_fopen = Off
allow_url_include = Off

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.