A critical remote code execution vulnerability in WooCommerce 7.1.0 allows unauthorized attackers to inject and execute arbitrary PHP code on the web server.

The vulnerability exists in the class-wc-meta-box-product-images.php endpoint, which fails to properly sanitize the product-type parameter. An unauthenticated attacker can exploit this to write malicious PHP files to the server's web root, resulting in full remote code execution.

The CVSS score of 9.8 highlights the extreme risk of this vulnerability. Successful exploitation permits attackers to gain full control over the web server, facilitating the theft of customer databases, installation of webshells, and potential pivoting into the broader corporate network.

Immediate Action: Update the WooCommerce plugin to a patched version beyond 7.1.0 immediately.

Proactive Monitoring: Audit the web root and plugin directories for newly created or unauthorized .php files that may have been injected via this vector.

Compensating Controls: Implement file integrity monitoring (FIM) and configure WAF rules to block requests containing suspicious input within the product-type parameter.

Public Exploit Available: Unknown

This vulnerability represents a direct path to server compromise and must be addressed with the highest urgency. Administrators should apply the latest security updates provided by WooCommerce and ensure that web directory permissions are restricted to prevent unauthorized file creation.