External risk intelligence

WooCommerce Remote Code Execution Via Product Type Parameter

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2022-50972

The vulnerability exists in WooCommerce, a widely deployed e-commerce plugin for WordPress. As a public-facing web store application, these endpoints are designed to be accessible over the internet to facilitate customer transactions and site functionality, making them inherently public-facing by design.

Code Injection

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability in WooCommerce allows attackers to execute malicious code on affected systems by manipulating product type settings. This could enable unauthorized access and control over web server environments where the WooCommerce plugin is active. The main concern is confirming relevance and exposure.

Attackers can run their own code on stores.
Widely used e-commerce tool has a serious security flaw.
Confirm if your WooCommerce sites are exposed.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending specially crafted requests to a WooCommerce endpoint. This endpoint, specifically `class-wc-meta-box-product-images.php`, processes a parameter called `product-type`. If this parameter is not properly sanitized, an attacker can inject shell commands, leading to the execution of arbitrary PHP code. This could result in the attacker writing malicious PHP files to the web server's root directory.

No authentication or special access needed.
Injecting shell commands via `product-type` parameter.
Remote code execution and web shell creation.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, this vulnerability could allow attackers to execute arbitrary PHP code by injecting shell commands through the product-type parameter. This could lead to the creation of malicious PHP files within the web root, potentially impacting the integrity and availability of the affected service.

Arbitrary code execution.
Unsanitized input to vulnerable endpoint.
Web server compromise.

Operational Fix

Recommended remediation, mitigation, and detection steps

Application owners and infrastructure teams are likely responsible for addressing this vulnerability within their WooCommerce installations. The first practical step is to identify all instances of the affected technology, confirm their accessibility and business criticality, and then ascertain the accountable owner for remediation planning.

Application owners should lead the response.
Verify WooCommerce instances and their exposure.
Plan remediation based on verified risk.

Supplementary metadata

CVSS vector

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is WooCommerce and why do people use it?

WooCommerce is a popular open-source plugin for the WordPress content management system. It provides the core functionality needed to turn a standard website into a fully functional online store, allowing users to manage product inventories, process customer payments, and handle e-commerce operations directly from their WordPress dashboard.

What does CWE-94 mean in the context of CVE-2022-50972?

CWE-94 refers to improper control of generation of code. In this specific vulnerability, it means the software does not properly filter or clean data provided by a user before using it to perform actions. Because the input is not sanitized, the application mistakenly treats user-provided text as valid commands, allowing an attacker to run their own unauthorized PHP code on the server.

How can an attacker trigger this vulnerability?

An attacker can trigger this issue by sending a specially crafted web request to a specific WooCommerce file, class-wc-meta-box-product-images.php. By injecting shell commands into the product-type parameter, the attacker forces the system to execute those commands. Requests that do not target this specific endpoint or that do not include the malicious product-type value will not trigger this vulnerability.

Is my WooCommerce site at risk?

Halo Surface Signal indicates that because WooCommerce is designed as an e-commerce platform, its endpoints are often exposed to the internet to facilitate shopping. If your WordPress site uses the affected version of WooCommerce and is reachable over the network, it is considered internet-facing and should be evaluated as a high priority for investigation.

What are the first steps to take if I run WooCommerce?

Begin by creating an inventory of all your websites running WooCommerce to identify which installations are using the affected software version. Once identified, confirm the accessibility of these sites to understand their network exposure. Finally, designate a team to manage the update process and ensure that security measures are prioritized for these specific business applications.

References

Written by Nicholas Merritt

Nicholas Merritt is VP of Security Solutions at Halo Security. With more than 25 years across application security, vulnerability prioritization, and offensive security, he helps teams translate threat data into practical exposure validation and remediation focus. He authors Halo Threat Intelligence CVE advisories using Halo Surface Signal and H/A/L/O context to prioritize internet-facing risk.