CVE-2022-50972— WooCommerce 7.1.0 Remote Code Execution via class-wc-meta-box-product-images.php
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2022-50972
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
WooCommerce 7.1.0 Remote Code Execution via class-wc-meta-box-product-images.php
Source: NVD (National Vulnerability Database)
Vulnerability Description
WooCommerce 7.1.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary PHP code by injecting shell commands through the product-type parameter. Attackers can send requests to the class-wc-meta-box-product-images.php endpoint with unsanitized product-type values to write malicious PHP files to the web root.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| WooCommerce | WooCommerce | 7.1.0 | - |
II. Public POCs for CVE-2022-50972
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2022-50972
请登录查看更多情报信息。
Vendor Advisories for CVE-2022-50972 (1)
Exploits & Public PoCs for CVE-2022-50972 (1)
Vendor Pages for CVE-2022-50972 (1)
IV. Related Vulnerabilities
Same product: WooCommerce
- CVE-2026-3589
WooCommerce < 10.5.3 - Arbitrary Admin User Creation via CSR - CVE-2025-15033
WooCommerce - Subscriber/Customer+ Order Data Disclosure - CVE-2023-7320
WooCommerce <= 7.8.2 - Sensitive Information Exposure - CVE-2025-49042
WordPress WooCommerce plugin <= 10.0.2 - Cross Site Scriptin - CVE-2025-5062
WooCommerce <= 9.4.2 - PostMessage-Based Cross-Site Scriptin
Same vendor: WooCommerce
- CVE-2026-2381
WooCommerce Stripe Payment Gateway <= 10.7.0 - Missing Autho - CVE-2026-9284
WooCommerce PayPal Payments <= 4.0.1 - Missing Authorization - CVE-2026-1710
WooPayments <= 10.5.1 - Missing Authorization to Unauthentic - CVE-2025-13457
WooCommerce Square <= 5.1.1 - Unauthenticated Insecure Direc - CVE-2024-10486
Google for WooCommerce <= 2.8.6 - Information Disclosure via
Same weakness: CWE-94
- CVE-2026-54816
WordPress Advanced Ads plugin <= 2.0.21 - Remote Code Execut - CVE-2026-40783
WordPress Blocksy Companion Pro plugin <= 2.1.37 - Remote Co - CVE-2026-25470
WordPress ACPT (Pro) - Custom Post Types plugin for WordPres - CVE-2026-49113
WordPress Cornerstone plugin < 7.8.8 - Arbitrary Code Execut - CVE-2026-24155
NVIDIA NeMo Framework 代码注入漏洞
V. Comments for CVE-2022-50972
No comments yet