Description
WooCommerce 7.1.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary PHP code by injecting shell commands through the product-type parameter. Attackers can send requests to the class-wc-meta-box-product-images.php endpoint with unsanitized product-type values to write malicious PHP files to the web root.
Published: 2026-06-20
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WooCommerce 7.1.0 exposes a remote code execution flaw through the class-wc-meta-box-product-images.php endpoint. The vulnerability arises because an attacker can supply unsanitized values for the product-type parameter, allowing arbitrary PHP code to be written to the web root. This leads to full control over the affected WordPress site, enabling attackers to steal data, deface, or install malware. The weakness is a classic injection scenario identified as CWE‑94.

Affected Systems

The flaw affects the WooCommerce plugin for WordPress, specifically version 7.1.0. WordPress sites running this version are vulnerable unless mitigated by a patch or configuration change. No other product or vendor variations are listed in the CNA data.

Risk and Exploitability

The CVSS score of 9.3 indicates critical severity, and because attackers can trigger the vulnerability via a crafted HTTP request, the likelihood of exploitation is high in environments where the endpoint is publicly exposed. EPSS data is not available, but the lack of a KEV listing does not diminish the risk, as the flaw allows remote code execution. An attacker can simply send a request with a malicious product-type value to write a PHP shell, gaining immediate control over the server.

Generated by OpenCVE AI on June 20, 2026 at 15:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WooCommerce to the latest released version that contains the RCE fix
  • Reconfigure file permissions to disallow arbitrary file creation in the web root, ensuring only necessary files can be written
  • Validate and whitelist the product-type parameter to accept only legitimate values, removing any code that writes files based on user input
  • Deploy a web application firewall or security plugin to block suspicious requests and monitor for unauthorized file modifications

Generated by OpenCVE AI on June 20, 2026 at 15:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 20 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Sat, 20 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description WooCommerce 7.1.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary PHP code by injecting shell commands through the product-type parameter. Attackers can send requests to the class-wc-meta-box-product-images.php endpoint with unsanitized product-type values to write malicious PHP files to the web root.
Title WooCommerce 7.1.0 Remote Code Execution via class-wc-meta-box-product-images.php
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-20T13:37:00.161Z

Reserved: 2026-01-11T13:34:26.334Z

Link: CVE-2022-50972

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T16:30:08Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')