CVE-2023-39642
Description
Carts Guru cartsguru up to v2.4.2 was discovered to contain a SQL injection vulnerability via the component CartsGuruCatalogModuleFrontController::display().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Carts Guru module for PrestaShop up to v2.4.3 contains SQL injection in display() and catalog.php, enabling unauthenticated remote code execution via webskimmer attacks.
Vulnerability
The Carts Guru module for PrestaShop (cartsguru) up to version 2.4.3 has an SQL injection vulnerability in the CartsGuruCatalogModuleFrontController::display() method and the legacy script controllers14/catalog.php. An unauthenticated guest can exploit this via a crafted HTTP request. The module author deleted vulnerable files but did not ensure they were removed upon upgrade, leaving many installations exposed [1].
Exploitation
An attacker can send a malicious HTTP request to the affected endpoint without authentication or user interaction. The vulnerability is actively exploited to deploy webskimmer scripts that steal credit card information. The exploit path can be concealed within frontend logs, making detection difficult without custom logging or WAF rules [1].
Impact
Successful exploitation allows an attacker to perform SQL injection, leading to potential data breach including admin credentials and customer credit card data. Due to active exploitation, this vulnerability poses a critical risk to confidentiality, integrity, and availability (CVSS 9.8) [1].
Mitigation
The vendor has not released a definitive fix; versions up to 2.4.3 are considered impacted. It is recommended to immediately upgrade to the latest version beyond 2.4.3 if available, or uninstall the module. Additionally, implement web application firewall rules (e.g., mod_security AuditEngine) to detect SQLi attempts [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Carts Guru/cartsgurudescription
- Range: <=2.4.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper neutralization of SQL parameters in CartsGuruCatalogModuleFrontController::display() and controllers14/catalog.php allows SQL injection [ref_id=1]."
Attack vector
An unauthenticated guest can trigger the SQL injection by sending a crafted HTTP request to the vulnerable endpoint [ref_id=1]. The attack vector is network-based, requires no privileges or user interaction, and has low complexity [ref_id=1]. The proof of concept demonstrates injecting a malicious SQL payload via the `cartsguru_catalog_limit` parameter in a GET request to `controllers14/catalog.php` [ref_id=1]. Attackers can conceal the module controller's path during exploitation, making detection difficult in conventional frontend logs [ref_id=1].
Affected code
The vulnerability resides in the method `CartsGuruCatalogModuleFrontController::display()` and the ajax script `controllers14/catalog.php` [ref_id=1]. These components contain SQL calls that accept unsanitized user input, allowing injection of arbitrary SQL statements [ref_id=1].
What the fix does
The advisory notes that the author deleted the vulnerable files from the module but did not configure them to be auto-deleted during upgrades, meaning merchants who updated were not truly safe [ref_id=1]. Versions up to 2.4.3 are considered impacted because past upgrades did not auto-delete the implicated files [ref_id=1]. The advisory marks version 2.4.3 as the version where the fix is "truly" applied, implying the vulnerable files are properly removed in that release [ref_id=1].
Preconditions
- authNo authentication required — a guest can exploit the vulnerability
- configThe vulnerable module (cartsguru) must be installed and the vulnerable files must still be present on the server
- networkNetwork access to the PrestaShop instance is required
- inputThe attacker sends a crafted HTTP GET request with a malicious SQL payload in the cartsguru_catalog_limit parameter
Reproduction
curl -v 'https://preprod.XX/modules/cartsguru/controllers14/catalog.php?cartsguru_catalog_limit=1;select(0x73656C65637420736C656570283432293B)INTO@a;prepare`b`from@a;execute`b`;--' [ref_id=1]
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.