PrestaShop fixes bug that lets any backend user delete databases

The open-source e-commerce platform PrestaShop has released a new version that addresses a critical-severity vulnerability allowing any back-office user to write, update, or delete SQL databases regardless of their permissions.

Back-office users are those with access to the website’s administrative interface, including the owner, administrators, sales representatives, customer support agents, order processors, data entry staff, and others.

The permissions of each user are set so that they’re only allowed to access the information and features necessary for their role, which is a crucial security feature of PrestaShop.

Tracked as CVE-2023-30839, the critical (CVSS v3.1 score: 9.9) allows any user, regardless of their permissions, to perform unauthorized modifications on the online store’s database, potentially causing significant damage or service outage to impacted businesses.

The flaw, which has no mitigation, impacts all PrestaShop installations from version 8.0.3 and older.

While the need to have a user account on the vulnerable site somewhat mitigates the vulnerability, considering that online shops often employ large teams to handle orders, the flaw introduces a risk of allowing rogue or disgruntled employees to cause damage.

Moreover, it opens up a larger attack surface for hackers, who can now compromise any user account on PrestaShop-based e-commerce sites and potentially inject malicious code and backdoors or gain access to the SQL database.

Backdoor injections through website databases is a stealthy attack tactic Sucuri recently reported gaining traction in the wild, targeting mainly WordPress sites.

The software vendor addressed it with the release of version 8.0.4 and 1.7.8.9, released yesterday, to which all PrestaShop website owners are recommended to upgrade as soon as possible.

The open-source e-commerce platform has also fixed two other vulnerabilities in its latest release, namely CVE-2023-30535 (CVSS v3.1: 7.7, “high”) and CVE-2023-30838 (CVSS v3.1: 8.0, “high”).

The first is an arbitrary file read problem giving unauthorized users access to critical information. The second is an XSS injection issue that can hijack every HTML element on the site and is triggered without interaction.

It is crucial to apply the available security updates as soon as possible as hackers are always looking for vulnerabilities in large platforms like PrestaShop.

In July 2022, the e-commerce solution vendor urgently warned its users that hackers targeted the platform by leveraging a zero-day vulnerability to perform SQL injections on PrestaShop-based sites.