CVE-2023-27032
Published: 12 April 2023
Summary
CVE-2023-27032 is a critical-severity SQL Injection (CWE-89) vulnerability in Idnovate Popup Module \(On Entering\, Exit Popup\, Add Product\) And Newsletter. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 2.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Prestashop advancedpopupcreator versions 1.1.21 through 1.1.24 contain a SQL injection vulnerability in the AdvancedPopup::getPopups() component. The flaw is tracked as CVE-2023-27032 with a CVSS 3.1 score of 9.8 and is classified under CWE-89.
An unauthenticated remote attacker can supply crafted input over the network to the affected module and execute arbitrary SQL commands against the underlying database. Successful exploitation grants full read, write, and delete access, enabling data exfiltration, modification of store content, or complete compromise of the Prestashop installation.
Public advisories published by Friends-of-Presta on 11 April 2023 detail the issue and direct users to the vendor module page for updates; administrators are advised to upgrade advancedpopupcreator to a corrected release or apply vendor-supplied patches without delay.
The associated EPSS score reached a peak of 0.4769 and currently stands at 0.4081, indicating sustained exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-30821
Vulnerability details
Prestashop advancedpopupcreator v1.1.21 to v1.1.24 was discovered to contain a SQL injection vulnerability via the component AdvancedPopup::getPopups().
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.