The PrestaShop e-commerce platform has been used widely by hackers through an unknown vulnerability in order to execute codes to steal customers’ payment information. The PrestaShop’s security team confirmed the hacking incident and urged its 300,000 shop admins to review their software security status following the attack.
The security researchers said that the attack impacted PrestaShop versions 1.6.0.10 or later versions 1.7.8.2 and run a module named Wishlist 2.0.0 to 2.1.0 that is vulnerable to SQL injection. The vulnerability which helped exploiters to gain access was tracked as CVE-2022-36408.
The attackers targeted the Wishlist module by performing an SQL injection exploit in order to gain unauthorized access to the website’s database to steal users’ payment details. The PrestaShop said, “We believe attackers are targeting shops using outdated software or modules, vulnerable third-party modules, or a yet-to-be-discovered vulnerability.” The security researchers stated that the attacker sent a POST request to gain access to the web server’s data through a vulnerable endpoint. After that the attackers performed a GET request to the homepage, to grab data from the homepage data resource. It created a blm.php file at the root directory which allowed the threat actor to execute commands on the compromised server. The company reported that in many cases the threat actor used this web shell to create a fake checkout page for the customers in order to steal their payment card details. The threat actor successfully erased their trace from the server following the cyberattack on PrestaShop.
Reportedly PrestaShop has upgraded its web versions, performed a security fix by strengthening MySQL Smarty cache storage, and applied more security updates.
