Critical SQL injection flaw identified in a Facebook module for PrestaShop
Take action: If you are using Facebook module for PrestaShop, start by updating all versions of the module, and PrestShop, then apply the other mitigating measures since it's not clear whether the latest versions fix the issue.
Learn More
A critical vulnerability has been identified in the "Facebook" module (pkfacebook) from Promokit.eu for PrestaShop. PrestaShop is a freemium, open-source e-commerce platform that allows businesses to create and manage their own online stores.
The flaw, tracked as CVE-2024-36680 (CVSS score 9.8), is an SQL injection that allows unauthenticated users to execute arbitrary SQL queries through a simple HTTP call due to a flaw in the Ajax script.
Active exploitation has been observed with webskimmers stealing credit card information
Due to the uncertainty around the specific versions impacted and the refusal of Promokit.eu to provide the latest version for verification, all versions of the pkfacebook module should be considered vulnerable. Website owners using this module are urged to apply the following mitigating measures:
- ensure you have the latest version of the module installed, despite the vendor's lack of clarity,
- update PrestaShop to the latest version to disable multi-query executions and enhance overall security
- change the default database prefix ps_ to a more complex, arbitrary prefix to reduce the risk of SQL injection attacks.
- if using Web Application Firewall, use OWASP 942’s rules o to add an extra layer of security, keeping in mind potential conflicts with back-office functionality.
- Ensure regular backups of your database and website files to facilitate recovery in case of a security breach.
