Multiple critical 0-day security vulnerabilities which threat actors use to inject malicious code into e-commerce sites have been detected in the PrestaShop E-Commerce platform. The combined use of security vulnerabilities causes threat actors to remote code execution (RCE) on affected web servers and capture their customers’ payment information.

The attack requires the platform to be vulnerable to SQL injection exploits. In the analysis performed, the attack starts with the threat actors sending malicious GET and POST requests to the endpoint open to SQL injection. Then, threat actors gain full control via the PHP file created at the platform’s root directory and inject a fake payment form on the prepayment page. In this way, the credit card information entered in the fake form by the store customers is captured. Additionally, PrestaShop officials stated that threat actors might be using MySQL Smarty cache storage features as part of the attack vector. Therefore, it is recommended to disable this feature as a mitigation measure.

SQL injection vulnerabilities affect PrestaShop versions 1.6.0.10 or higher. 1.7.8.2 and higher versions are not affected by the security vulnerability in default configurations. PrestaShop 1.7.8.7 was released to harden MySQL Smarty cache storage against code injection attacks. Web application administrators using vulnerable PrestaShop versions must immediately apply the updates that fix the vulnerabilities.