CVE-2022-50972 is a critical remote code execution vulnerability in WooCommerce 7.1.0. The vulnerability allows attackers to execute arbitrary PHP code by injecting shell commands through the product-type parameter. This is achieved by sending requests to the class-wc-meta-box-product-images.php endpoint with unsanitized product-type values, enabling the writing of malicious PHP files to the web root. The [truncated]
The WooCommerce Stripe Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_pay_for_order()` function in all versions up to, and including, 10.7.0. This is due to a missing order ownership or order_key verification when processing payment for an order via the `wc_stripe_pay_for_order` WC-AJAX endpoint. The function only vali [truncated]
The WooCommerce PayPal Payments plugin for WordPress contains missing authorization checks on two WC-AJAX endpoints (`ppc-create-order` and `ppc-get-order`) in versions up to and including 4.0.1. The `ppc-create-order` endpoint accepts arbitrary WooCommerce order IDs in the `pay-now` context without validating order ownership, allowing unauthenticated attackers to create PayPal orders for any WC order and [truncated]