Cyber Resilience

CVE-2023-27032

Critical

Published: 12 April 2023

Published
12 April 2023
Modified
10 February 2025
KEV Added
Patch
11 April 2023
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4081 97.5th percentile
Risk Priority 44 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-27032 is a critical-severity SQL Injection (CWE-89) vulnerability in Idnovate Popup Module \(On Entering\, Exit Popup\, Add Product\) And Newsletter. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 2.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Prestashop advancedpopupcreator versions 1.1.21 through 1.1.24 contain a SQL injection vulnerability in the AdvancedPopup::getPopups() component. The flaw is tracked as CVE-2023-27032 with a CVSS 3.1 score of 9.8 and is classified under CWE-89.

An unauthenticated remote attacker can supply crafted input over the network to the affected module and execute arbitrary SQL commands against the underlying database. Successful exploitation grants full read, write, and delete access, enabling data exfiltration, modification of store content, or complete compromise of the Prestashop installation.

Public advisories published by Friends-of-Presta on 11 April 2023 detail the issue and direct users to the vendor module page for updates; administrators are advised to upgrade advancedpopupcreator to a corrected release or apply vendor-supplied patches without delay.

The associated EPSS score reached a peak of 0.4769 and currently stands at 0.4081, indicating sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

Prestashop advancedpopupcreator v1.1.21 to v1.1.24 was discovered to contain a SQL injection vulnerability via the component AdvancedPopup::getPopups().

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

idnovate
popup module \(on entering\, exit popup\, add product\) and newsletter
1.1.21 — 1.1.25

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References