CVE-2023-39643
Description
Bl Modules xmlfeeds before v3.9.8 was discovered to contain a SQL injection vulnerability via the component SearchApiXml::Xmlfeeds().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Bl Modules XML Feeds PRO for PrestaShop ≤ 3.8.2 has a SQL injection in SearchApiXml::Xmlfeeds() allowing unauthenticated remote attackers to execute arbitrary SQL commands.
Vulnerability
A SQL injection vulnerability exists in Bl Modules' xmlfeeds module for PrestaShop, versions 3.8.2 and earlier. The flaw resides in the SearchApiXml::Xmlfeeds() method, where user-supplied input is improperly neutralized before being used in SQL queries. The fix was introduced in version 3.9.8 [1].
Exploitation
An attacker can exploit this vulnerability without authentication or user interaction, as the vulnerable endpoint is accessible to guest users. The attack vector is network-based with low complexity. A proof-of-concept HTTP request to /modules/xmlfeeds/search.php with crafted parameters (e.g., s and s_p) can inject arbitrary SQL statements [1].
Impact
Successful exploitation allows an attacker to obtain full read/write access to the PrestaShop database. This can lead to administrative account takeover, data exfiltration (including credit card information), modification of sensitive data, and overwriting SMTP settings to hijack email communications. The CVSS score is 9.8 (Critical), with high impact on confidentiality, integrity, and availability [1].
Mitigation
The vulnerability is fixed in version 3.9.8 of the xmlfeeds module. Users should upgrade to this version immediately. No other workarounds are documented in the available references. This vulnerability is reportedly being actively exploited to deploy web skimmers targeting credit card data [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <3.9.8
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper neutralization of SQL parameters in the SearchApiXml::Xmlfeeds() method allows an attacker to inject arbitrary SQL commands."
Attack vector
An unauthenticated guest can trigger the SQL injection via a trivial HTTP call to the module's search endpoint [ref_id=1]. The proof of concept uses a `curl` request to `/modules/xmlfeeds/search.php?s=1&s_p=1` with a malicious payload appended as a semicolon-separated SQL statement [ref_id=1]. The attack requires no privileges, no user interaction, and can be performed over the network with low complexity [CWE-89] [ref_id=1].
Affected code
The vulnerability resides in the method `SearchApiXml::Xmlfeeds()` within the module `xmlfeeds` for PrestaShop. The patch shows the fix in `modules/xmlfeeds/xmlfeeds.php` where the `$selected_products` variable is interpolated directly into a SQL `NOT IN` clause without sanitization [ref_id=1].
What the fix does
The patch replaces the direct interpolation of `$selected_products` into the SQL query with `implode(',', array_map('intval', explode(',', $selected_products)))` [ref_id=1]. This change casts each value in the comma-separated list to an integer before concatenation, preventing any SQL metacharacters or injected statements from being executed. The advisory also recommends upgrading to the latest module version, which disables multiquery execution (semicolon-separated statements) as an additional defense layer [ref_id=1].
Preconditions
- configThe target must be running PrestaShop with the xmlfeeds module version <= 3.8.2
- authNo authentication required; the attacker can be unauthenticated
- networkAttacker must be able to send HTTP requests to the /modules/xmlfeeds/search.php endpoint
- inputAttacker supplies crafted 's' and 's_p' parameters containing SQL injection payload
Reproduction
curl -v 'https://preprod.X/modules/xmlfeeds/search.php?s=1&s_p=1);select(0x73656C65637420736C656570283432293B)INTO@a;prepare`b`from@a;execute`b`;--' [ref_id=1]
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.