Security News > 2023 > April > PrestaShop fixes bug that lets any backend user delete databases
The open-source e-commerce platform PrestaShop has released a new version that addresses a critical-severity vulnerability allowing any back-office user to write, update, or delete SQL databases regardless of their permissions.
The permissions of each user are set so that they're only allowed to access the information and features necessary for their role, which is a crucial security feature of PrestaShop.
Tracked as CVE-2023-30839, the critical allows any user, regardless of their permissions, to perform unauthorized modifications on the online store's database, potentially causing significant damage or service outage to impacted businesses.
While the need to have a user account on the vulnerable site somewhat mitigates the vulnerability, considering that online shops often employ large teams to handle orders, the flaw introduces a risk of allowing rogue or disgruntled employees to cause damage.
It opens up a larger attack surface for hackers, who can now compromise any user account on PrestaShop-based e-commerce sites and potentially inject malicious code and backdoors or gain access to the SQL database.
Backdoor injections through website databases is a stealthy attack tactic Sucuri recently reported gaining traction in the wild, targeting mainly WordPress sites.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-04-25 | CVE-2023-30839 | SQL Injection vulnerability in Prestashop PrestaShop is an Open Source e-commerce web application. | 8.8 |