CVE-2022-31181 Scanner

PrestaShop is a widely-used open-source e-commerce platform designed for small to medium businesses around the world. Its flexible architecture allows merchants to customize and enhance their online stores with a variety of themes and plugins. PrestaShop is utilized in many industries including electronics, fashion, and furniture, providing a comprehensive solution to manage orders, products, and customer relationships. Built on PHP and MySQL, it supports various payment gateways and shipping options. With its user-friendly interface, both technical and non-technical individuals can effectively manage their online stores on PrestaShop. This vulnerability check is crucial for business owners to ensure their online stores remain secure and fully functional.

The SQL Injection vulnerability in PrestaShop poses a significant threat as it allows attackers to manipulate database queries by submitting unsanitized user inputs. This vulnerability is particularly dangerous as it can lead to unauthorized access and manipulation of sensitive data stored in the database. Malicious actors can exploit this vulnerability to inject malicious SQL statements, potentially gaining the ability to read, modify, or delete data. Furthermore, the injection can be chained to other vulnerabilities, such as calling the PHP Eval function, escalating the impact to possible remote code execution. Protecting against this vulnerability is critical to maintaining the integrity and confidentiality of the data held by PrestaShop stores. Regularly updating and sanitizing input fields is essential to mitigating this risk.

The vulnerability occurs at several endpoints within the PrestaShop platform, often involving modules that handle customer inputs, such as login and wishlist functions. Attackers can send malicious inputs to these endpoints which are not properly sanitized, allowing SQL injections. The vulnerable SQL commands typically include data retrieval and updates, posing the risk of unauthorized database manipulation. Attackers exploit the 'id_wishlist' parameter in particular, chaining multiple SQL commands to manipulate database settings. The nature of the injection enables further exploitation by altering configuration settings which involve executing PHP code through eval(), thereby posing a severe risk to the system's security. Technical understanding of HTTP requests is essential to identifying and fixing these vectors.

If exploited, this vulnerability can result in severe consequences including full system compromise. Attackers could execute arbitrary PHP code, leading to unauthorized access to sensitive data, database manipulation, defacement of the website, and potentially, persistence through backdoors. Such a compromise would gravely affect the brand's reputation, result in loss of customer trust, and potentially incur financial losses due to data breaches or business interruption. Moreover, attackers gaining prolonged access could launch further attacks against internal networks, causing extensive damage. It is critical to address this SQL Injection vulnerability promptly to protect business assets and customer information.

REFERENCES

• https://www.xmco.fr/wp-content/uploads/2022/12/XMCO-ActuSecu-59-Forwardshell-UXSS-cyberguerre.pdf
• https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-hrgx-p36p-89q4
• https://github.com/PrestaShop/PrestaShop/commit/b6d96e7c2a4e35a44e96ffbcdfd34439b56af804
• https://nvd.nist.gov/vuln/detail/CVE-2025-27007