Critical WooCommerce Flaw CVE-2022-50972: Act Now

Any WooCommerce store running a version below 7.1.0 is currently exposed to a vulnerability with no available fix. An attacker who successfully exploits it can take full administrative control of the affected site, gaining access to every customer record, every stored order, and every payment detail your store holds. They can install malicious code, redirect your customers to third-party sites, or wipe your database entirely. The CVE record for CVE-2022-50972 assigns a CVSS score of 9.8 out of 10, which places it in the critical tier — this is a documented, scored, published risk, not a theoretical scenario.

The vulnerability was publicly disclosed on 20 June 2026. As of that date, no patched version of the plugin exists. Running WooCommerce below version 7.1.0 right now means running software with a known, publicly documented critical flaw and no vendor-supplied remedy.

CVSS 9.8: What the Score Means for a Store Running Below 7.1.0

A CVSS score of 9.8 indicates that exploitation requires no authentication, no special privileges, and no interaction from your customers or staff. An attacker sends a crafted request to your site and, if the vulnerability is present, they get in. No login needed. No social engineering. The vulnerability type recorded against this CVE is consistent with unauthenticated remote exploitation, which means the relevant question for any site owner is how quickly automated scanning tools will identify and target exposed sites after public disclosure. Disclosure happened on 20 June 2026. The window between a public CVE and active exploitation at scale is typically measured in hours, not weeks.

WooCommerce stores hold customer data that carries legal obligations under UK GDPR. A breach resulting from a known, unpatched vulnerability — one you had been informed of and had the means to mitigate — leaves you defending that position to the ICO with no adequate answer.

How to Check Your Version and What to Do Right Now

In your WordPress dashboard, go to Plugins > Installed Plugins and locate WooCommerce in the list. The version number appears directly beneath the plugin name. If it reads anything below 7.1.0, your site is affected.

Because no patched version currently exists, updating is not an option. Two mitigations are available:

1. Disable WooCommerce immediately. Go to Plugins > Installed Plugins, find WooCommerce, and click Deactivate. This takes your store offline but closes the attack surface entirely. For a business that depends on online sales, this is a significant decision, and also the cleanest one available until a fix is released.

2. Implement a Web Application Firewall (WAF) rule. Where taking your store offline is operationally impossible, a WAF can be configured to block the specific request pattern this vulnerability exploits. Services such as Cloudflare and Wordfence both offer WAF capabilities for WordPress. A WAF is a filter, not a fix: it reduces exposure without eliminating it, and if the rule is misconfigured or bypassed, the vulnerability remains live beneath it.

Whichever route you take, monitor the WooCommerce changelog and the WPVulnerability plugin database for a patched release. When a fix lands, update immediately and reactivate if you disabled the plugin.

One concrete step worth taking in parallel: go to WooCommerce > Settings > Accounts & Privacy and check whether your store is set to retain customer data beyond the minimum period your business requires. Reducing the volume of data held on a vulnerable site limits what an attacker can access if exploitation occurs before a patch is available.

Why plugin updates are not optional maintenance

WooCommerce is the most widely deployed e-commerce platform on WordPress, and that scale makes it a high-value target. When a vulnerability is disclosed at CVSS 9.8 with no authentication required, every unpatched installation becomes a target within the same news cycle as the disclosure. I see this pattern repeatedly with business owners who treat plugin updates as something to get to eventually.

Keeping plugins current is the single most effective control available to a site owner without a security background. It requires a process: check for updates, apply them promptly, confirm the site works after each update. Applied consistently, that process closes the majority of known attack vectors before they can be exploited. The failure mode is treating updates as a risk rather than a remedy. Updates do occasionally break things, and a broken layout or a plugin conflict is recoverable. A compromised WooCommerce database, with customer names, addresses, and order histories exposed, is a different category of problem entirely.

There is one consequence of this specific vulnerability that deserves particular attention. If an attacker gains administrative access to your WordPress installation through an exploited WooCommerce vulnerability, they can create new administrator accounts and remove yours. Recovering access to your own site then requires server-level intervention, and if you are on shared hosting without direct database access, that recovery may not be possible without involving your host on a timeline that is not yours to control.

If your store is running WooCommerce below version 7.1.0, I can audit your current setup, implement a WAF rule as an interim measure, and monitor the CVE for a patched release so you are updated the moment one is available. Exploitation of a CVSS 9.8 vulnerability typically begins within hours of public disclosure, and this one was disclosed on 20 June 2026. Contact me at The WordPress Guy to arrange an emergency security review.