PrestaShop is a free, open-source E-commerce platform launched in 2007. Built with PHP and MySQL, it offers customizable, scalable solutions for online stores. Features include product management, inventory tracking, and payment processing. Supporting multiple languages and currencies, it's ideal for small to medium businesses worldwide.
Built by Promokit, the pkFacebook add-on integrates PrestaShop with Facebook, enabling product catalog sync, dynamic ads, and Facebook Shop creation. It supports Facebook Pixel for tracking and optimizing ad performance, enhancing social media marketing and customer engagement, and driving more traffic and sales to PrestaShop stores.
A significant vulnerability, identified as CVE-2024-36680, was discovered in pkfacebook's facebookConnect.php Ajax script. The flaw enables remote attackers to execute SQL injection attacks through HTTP requests.
Proof of Concept |
curl -v "https://preprod.X/modules/pkfacebook/ajax/facebookConnect.php?id=1";select(0x73656C65637420736C656570283432293B)INTO@a;prepare`b`from@a;execute`b`;--&[email protected] |
Cybercriminals are taking advantage of this vulnerability to install a card skimmer on susceptible e-commerce websites, allowing them to steal customers' credit card information.
TouchWeb analysts identified the vulnerability on March 3 (2024). However, Promokit.eu claimed the issue was resolved "a long time ago" in 2022 when the patch for CVE-2022-36408 was published, yet offered no evidence to support this assertion.
Earlier this week, Friends-of-Presta released a proof-of-concept exploit for CVE-2024-36680, alerting that the vulnerability is being actively exploited. "This exploit is being used to deploy a web skimmer to steal credit card information on a large scale," they stated.
Regrettably, the developers have not provided Friends-of-Presta with the latest version to verify if the issue has been resolved. The most recent version available on Promokit's website is still 1.0.0, making it unclear if a patch has been issued.
Friends-of-Presta advises treating all versions prior to (and including) 1.0.1 as potentially affected and suggests these mitigation steps: