Critical Vulnerability in Facebook PrestaShop Module

Security researchers have disclosed a critical vulnerability (CVE-2024-36680) involving a premium Facebook module for PrestaShop named pkfacebook. The vulnerability has a Common Vulnerability Scoring System (CVSSv3.1) score of 9.8 out of 10. The proof-of-concept exploit code that targets this vulnerability is publicly available and is reportedly being actively exploited to deploy webskimmers, which are designed to steal credit card information from unsuspecting customers.

Successful exploitation of the SQL injection vulnerability in pkfacebook's facebookConnect.php Ajax script allows a remote attacker to forge SQL injection attacks and gain unauthorised access to the associated PrestaShop database. 

The vulnerability affects all versions prior to 1.0.1.

As all versions are considered as potentially impacted, users and administrators of PrestaShop websites are recommended to implement the following mitigation measures:

• Upgrade to the latest pkfacebook version, which disables multiquery executions.

• Ensure pSQL is used to avoid Stored XSS vulnerabilities, as it includes a strip_tags function for added security.

• Modify the default "ps_" prefix to a longer, arbitrary one to improve security.

• Activate OWASP 942 rules on the Web Application Firewall (WAF).

More information is available here:

• https://security.friendsofpresta.org/modules/2024/06/18/pkfacebook.html

• https://www.bleepingcomputer.com/news/security/facebook-prestashop-module-exploited-to-steal-credit-cards/