SQL Injection in prestashop/blockwishlist
Description
An authenticated SQL injection vulnerability in PrestaShop's blockwishlist module allows attackers to manipulate database queries; fixed in version 2.1.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An authenticated SQL injection vulnerability in PrestaShop's blockwishlist module allows attackers to manipulate database queries; fixed in version 2.1.1.
Vulnerability
Overview CVE-2022-31101 is an authenticated SQL injection vulnerability in the PrestaShop blockwishlist module. The flaw exists because the module directly concatenates user-controlled sort parameters into an SQL query without proper sanitization. Specifically, the toLegacyOrderWay() method output is used directly in an orderBy clause [1][4].
Exploitation
Conditions An attacker must be an authenticated customer to exploit this vulnerability. No special privileges beyond a valid customer account are required. The injection occurs in the wishlist block's product listing functionality when a request includes crafted sort order parameters [3][4]. The attack complexity is low, as the vulnerable code path is triggered during normal module operation.
Impact
Successful exploitation could allow an attacker to read, modify, or delete database content, potentially compromising sensitive data such as customer information, orders, and other e-commerce data. The CVSS vector indicates potential impacts on confidentiality, integrity, and availability [3].
Mitigation
The vulnerability is fixed in blockwishlist version 2.1.1. The patch adds validation using PrestaShop's Validate::isOrderBy and Validate::isOrderWay methods to ensure only legitimate sort values are used [4]. Users should upgrade to version 2.1.1 or later. No workarounds are available [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
prestashop/blockwishlistPackagist | >= 2.0.0, < 2.1.1 | 2.1.1 |
Affected products
2- Range: >= 2.0.0, < 2.1.1
Patches
1b3ec4b85af5fMerge pull request from GHSA-2jx3-5j9v-prpp
1 file changed · +5 −1
src/Search/WishListProductSearchProvider.php+5 −1 modified@@ -35,6 +35,7 @@ use Product; use Shop; use Symfony\Component\Translation\TranslatorInterface; +use Validate; use WishList; /** @@ -167,7 +168,10 @@ private function getProductsOrCount( if ('products' === $type) { $sortOrder = $query->getSortOrder()->toLegacyOrderBy(true); - $querySearch->orderBy($sortOrder . ' ' . $query->getSortOrder()->toLegacyOrderWay()); + $sortWay = $query->getSortOrder()->toLegacyOrderWay(); + if (Validate::isOrderBy($sortOrder) && Validate::isOrderWay($sortWay)) { + $querySearch->orderBy($sortOrder . ' ' . $sortWay); + } $querySearch->limit((int) $query->getResultsPerPage(), ((int) $query->getPage() - 1) * (int) $query->getResultsPerPage()); $products = $this->db->executeS($querySearch);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-2jx3-5j9v-prppghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-31101ghsaADVISORY
- packetstormsecurity.com/files/168003/Prestashop-Blockwishlist-2.1.0-SQL-Injection.htmlghsax_refsource_MISCWEB
- github.com/PrestaShop/blockwishlist/commit/b3ec4b85af5fd73f74d55390b226d221298ca084ghsax_refsource_MISCWEB
- github.com/PrestaShop/blockwishlist/security/advisories/GHSA-2jx3-5j9v-prppghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.