cbcvebase.
CVE-2022-31181
published 2022-08-01

CVE-2022-31181: PrestaShop is an Open Source e-commerce platform. In versions from 1.6.0.10 and before 1.7.8.7 PrestaShop is subject to an SQL injection vulnerability which…

PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
5.07%
91.3th percentile
PrestaShop is an Open Source e-commerce platform. In versions from 1.6.0.10 and before 1.7.8.7 PrestaShop is subject to an SQL injection vulnerability which can be chained to call PHP's Eval function on attacker input. The problem is fixed in version 1.7.8.7. Users are advised to upgrade. Users unable to upgrade may delete the MySQL Smarty cache feature.

Affected

3 ranges
VendorProductVersion rangeFixed in
prestashopprestashop
prestashopprestashop>= 1.6.0.10 < 1.7.8.71.7.8.7
prestashopprestashop>= 1.6.0.10 < 1.7.8.71.7.8.7

Detection & IOCsextracted from sources · hover to see the quote

url/login?create_account=1
url/module/blockwishlist/action?action=getAllWishlist
url/module/blockwishlist/action?action=addProductToWishlist
url/module/blockwishlist/view
commandid_wishlist={{id_wishlist}}&order=product.price;UPDATE+ps_configuration+SET+value+=1+WHERE+name+LIKE+'%_SMARTY_CACHE';--.desc&from-xhr=
commandid_wishlist={{id_wishlist}}&order=product.price;UPDATE+ps_configuration+SET+value+='mysql'+WHERE+name+LIKE+'%_SMARTY_CACHING_TYPE';--.desc&from-xhr=
commandid_wishlist={{id_wishlist}}&order=product.price;UPDATE+ps_smarty_cache+SET+content=concat(content,"echo+md5('{{num}}');");--.desc&from-xhr=
cookiePrestaShop-[0-9a-f]{32}
  • Exploit chain begins with account creation POST to /login?create_account=1, followed by wishlist API calls to /module/blockwishlist/action and /module/blockwishlist/view — monitor for these sequential requests from the same source IP.
  • SQL injection payload is injected into the `order` parameter of POST /module/blockwishlist/view; look for semicolons and SQL keywords (UPDATE, SET, WHERE, LIKE) in that parameter.
  • Attacker enables MySQL Smarty caching by updating ps_configuration table, then injects PHP code into ps_smarty_cache.content via concat(), which is later eval'd — detect UPDATE statements targeting ps_smarty_cache or ps_configuration in SQL logs.
  • Successful RCE verification produces the MD5 hash c8c605999f3d8352d7bb792cf3fdb25b (md5('999999999')) in the HTTP response body — alert on this value appearing in web server responses.
  • Shodan fingerprinting queries for exposed PrestaShop instances: http.component:"Prestashop" or cpe:"cpe:2.3:a:prestashop:prestashop".
  • The exploit restores original configuration after execution (sets SMARTY_CACHE back to 0 and SMARTY_CACHING_TYPE back to 'filesystem') — a rapid sequence of opposing UPDATE statements on ps_configuration is a strong behavioral indicator.
  • ·The vulnerability only exists when the MySQL Smarty cache feature is enabled (or can be enabled via SQL injection). Instances using filesystem caching exclusively and not vulnerable to the SQLi may not be exploitable end-to-end.
  • ·Affected version range is 1.6.0.10 through 1.7.8.6 inclusive; version 1.7.8.7 contains the fix. Detections should be scoped to these versions.
  • ·The exploit requires the blockwishlist module to be installed and active on the PrestaShop instance; shops without this module are not exploitable via this attack path.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.