cbcvebase.
CVE-2023-46347
published 2023-10-25

CVE-2023-46347: In the module "Step by Step products Pack" (ndk_steppingpack) version 1.5.6 and before from NDK Design for PrestaShop, a guest can perform SQL injection. The…

PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
49.89%
98.8th percentile
In the module "Step by Step products Pack" (ndk_steppingpack) version 1.5.6 and before from NDK Design for PrestaShop, a guest can perform SQL injection. The method `NdkSpack::getPacks()` has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

Affected

1 ranges
VendorProductVersion rangeFixed in
ndkdesignndk_steppingpack< 1.5.71.5.7

Detection & IOCsextracted from sources · hover to see the quote

path/modules/ndk_steppingpack/search-result.php
commandsearch_query=1%22%29;select+0x73656c65637420736c6565702836293b+into+@a;prepare+b+from+@a;execute+b;--
  • Monitor POST requests to /modules/ndk_steppingpack/search-result.php for SQL injection patterns in the search_query parameter, including stacked queries, UNION-based payloads, and time-delay constructs (e.g., SLEEP()).
  • Time-based detection: a response duration >= 6 seconds to the endpoint with a stacked-query sleep payload is a strong indicator of successful exploitation.
  • Union-based detection: look for the MD5 hash of a known numeric canary value (e.g., md5(999999999)) reflected in the HTTP response body.
  • The vulnerable method is NdkSpack::getPacks(); trace SQL calls originating from this method in application-level logging.
  • Shodan fingerprint for exposed attack surface: search for http.component:"prestashop" to identify potentially vulnerable PrestaShop instances.
  • No authentication is required; the injection is exploitable by unauthenticated (guest) users via a single HTTP POST request.
  • ·Affected versions are ndk_steppingpack 1.5.6 and earlier; version 1.5.7+ is patched. Ensure version checks are scoped accordingly.
  • ·The Nuclei template uses a 15-second HTTP timeout per request to accommodate the time-based sleep payload; detection tooling should be configured with a matching or longer timeout to avoid false negatives.
  • ·The template uses stop-at-first-match with two sequential payloads (time-based first, then union-based); a WAF or rate-limiter blocking the first request may prevent the union-based check from running.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.