Saturday, May 3, 2025
Homecyber securityPrestaShop Website Under Injection Attack Via Facebook Module

PrestaShop Website Under Injection Attack Via Facebook Module

Published on

SIEM as a Service

Follow Us on Google News

A critical vulnerability has been discovered in the “Facebook” module (pkfacebook) from Promokit.eu for PrestaShop.

The vulnerability, CVE-2024-36680, allows a guest to perform SQL injection attacks on affected module versions.

CVE-2024-36680 – Vulnerability Details

The vulnerability stems from the Ajax script, which contains a sensitive SQL call that can be executed with a trivial HTTP call.

- Advertisement - Google News

Attackers can exploit this vulnerability to forge SQL injection attacks and gain unauthorized access to the associated PrestaShop database.

According to the module’s author, Promokit.eu, the exact versions impacted by this vulnerability are unknown, as it was introduced long ago.

The author has refused to provide the latest version so that security researchers can verify whether the issue has been fully resolved.

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

As a precautionary measure, all module versions should be considered potentially vulnerable.

Active Exploitation and Warnings

Alarmingly, malicious actors are actively using this exploit to deploy webskimmers, which are designed to steal credit card information from unsuspecting customers.

PrestaShop website owners are urged to take immediate action to mitigate the risk of data theft and unauthorized access.

Mitigation and Recommendations

To protect PrestaShop installations from this vulnerability, upgrading to the latest version of the pkfacebook module is highly recommended.

Additionally, PrestaShop users should consider the following security measures:

  1. Upgrade PrestaShop to the latest version to disable multi-query executions and enhance overall security.
  2. Ensure that the pSQL function, which includes, is properly implemented to protect against Stored XSS vulnerabilities.
  3. Change the default database prefix ps_ to a longer, arbitrary prefix to make it more difficult for attackers to guess.
  4. OWASP 942’s rules on a Web Application Firewall (WAF) will be activated to strengthen security further while being aware of potential conflicts with the back office functionality.

PrestaShop website owners are advised to address this critical vulnerability swiftly and implement the recommended security measures to safeguard their online stores and protect customer data from potential breaches.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Hundreds of Fortune 500 Companies Have Unknowingly Employed North Korean IT Operatives

North Korean nationals have successfully infiltrated the employee ranks of major global corporations at...

Stealthy New NodeJS Backdoor Infects Users Through CAPTCHA Verifications

Security researchers have uncovered a sophisticated malware campaign utilizing fake CAPTCHA verification screens to...

State-Sponsored Hacktivism on the Rise, Transforming the Cyber Threat Landscape

Global cybersecurity landscape is undergoing a significant transformation, as state-sponsored hacktivism gains traction amid...

NVIDIA Riva AI Speech Flaw Let Hackers Gain Unauthorized Access to Abuse GPU Resources & API keys

Researchers have uncovered significant security vulnerabilities in NVIDIA Riva, a breakthrough AI speech technology...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hundreds of Fortune 500 Companies Have Unknowingly Employed North Korean IT Operatives

North Korean nationals have successfully infiltrated the employee ranks of major global corporations at...

State-Sponsored Hacktivism on the Rise, Transforming the Cyber Threat Landscape

Global cybersecurity landscape is undergoing a significant transformation, as state-sponsored hacktivism gains traction amid...

Stealthy New NodeJS Backdoor Infects Users Through CAPTCHA Verifications

Security researchers have uncovered a sophisticated malware campaign utilizing fake CAPTCHA verification screens to...