PrestaShop, the open-source e-commerce platform, has released a new version to address a critical vulnerability that allows any back-office user to write, update, or delete SQL databases regardless of their permissions.
The flaw, tracked as CVE-2023-30839, has a CVSS v3.1 score of 9.9 and impacts all PrestaShop installations from version 8.0.3 and older. It opens up a larger attack surface for hackers, who can now compromise any user account on PrestaShop-based e-commerce sites and potentially inject malicious code and backdoors or gain access to the SQL database.
The software vendor has also fixed two other vulnerabilities in its latest release, CVE-2023-30535 (CVSS v3.1: 7.7, “high”) and CVE-2023-30838 (CVSS v3.1: 8.0, “high”).
Back-office users are those with access to the website’s administrative interface, including the owner, administrators, sales representatives, customer support agents, order processors, data entry staff, and others.
The permissions of each user are set so that they’re only allowed to access the information and features necessary for their role, which is a crucial security feature of PrestaShop.
While the need to have a user account on the vulnerable site somewhat mitigates the vulnerability, the flaw introduces a risk of allowing rogue or disgruntled employees to cause damage.
Sucuri recently reported that backdoor injections through website databases is a stealthy attack tactic gaining traction in the wild, targeting mainly WordPress sites. The software vendor addressed the issue with the release of version 8.0.4 and 1.7.8.9, released yesterday, to which all PrestaShop website owners are recommended to upgrade as soon as possible.
It is crucial to apply the available security updates as soon as possible as hackers are always looking for vulnerabilities in large platforms like PrestaShop.
In July 2022, the e-commerce solution vendor urgently warned its users that hackers targeted the platform by leveraging a zero-day vulnerability to perform SQL injections on PrestaShop-based sites.
