Open-source e-commerce website PrestaShop disclosed that threat actors are actively exploiting a zero-day vulnerability on its platform to inject malicious skimming code and capture payment information.
PrestaShop is a popular e-commerce platform used by roughly 300,000 members worldwide. The perpetrators likely aim to steal payment data such as credit card details and personally identifiable information (PII) that customers input on checkout pages.
The flaw, tracked as CVE-2022-36408, is an SQL injection vulnerability that affects PrestaShop versions 1.6.10 through 1.7.x before1.7.8.2. Perpetrators could leverage the vulnerability to perform arbitrary code execution remotely.
“The attack requires the shop to be vulnerable to SQL injection exploits,” reads PrestaShop’s announcement. “To the best of our knowledge, the latest version of PrestaShop and its modules are free from these vulnerabilities. We believe attackers are targeting shops using outdated software or modules, vulnerable third-party modules, or a yet-to-be-discovered vulnerability.”
PrestaShop addressed the vulnerability in version 1.7.8.7 of the platform. The fix increases the service’s MySQL Smarty cache storage resistance to code injection attacks. According to the company’s security advisory, customers running older, vulnerable versions of the platform can manually remove the MySQL Smarty cache feature by deleting code from a configuration file.
“We would like to take the opportunity to stress once more the importance of keeping your system updated to keep your shop safe from attacks. This means regularly updating both your PrestaShop software and its modules, as well as your server environment.”
However, according to the platform’s release notes, simply updating the platform to the latest stable version might not be enough to secure your website if it has already been compromised. Customers who suspect their website has been affected by the flaw should consider a full audit from a security specialist to identify potential breaches.