WooCommerce 7.1.0 Remote Code Execution via class-wc-meta-box-product-images.php

An unauthenticated attacker sends an HTTP request to `/woocommerce/includes/admin/meta-boxes/class-wc-meta-box-product-images.php` with a `product-type` parameter containing shell metacharacters, such as `;echo '<?php phpinfo(); ?>' >info.php`. The unsanitized value flows into a class name lookup and is ultimately used in a way that allows arbitrary command execution, writing a malicious PHP file to the web root [ref_id=1].

The vulnerable code resides in `class-wc-meta-box-product-images.php` at the `save()` function (line 92). The `$product_type` value is taken from `$_POST['product-type']` and passed through `sanitize_title(stripslashes(...))` before being used to construct a class name via `WC_Product_Factory::get_product_classname()` on line 94, which is then instantiated on line 95. The sanitization is insufficient to prevent shell metacharacters from being injected.

The advisory does not provide a patch diff. The recommended fix would be to strictly validate or whitelist the `product-type` parameter so that only known product types are accepted, preventing shell metacharacters from reaching the class name construction or any command execution context. Without a published patch, users should upgrade to a patched version of WooCommerce beyond 7.1.0.

Send a request to `http://localhost/woocommerce/includes/admin/meta-boxes/class-wc-meta-box-product-images.php?product-type=;echo '<?php phpinfo(); ?>' >info.php` to write a PHP info file to the web root [ref_id=1].