CVE-2023-43979
Description
A critical SQL injection vulnerability in PrestaHero ybc_blog module before v4.4.0 allows unauthenticated attackers to execute arbitrary SQL queries via the getPosts() method.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A critical SQL injection vulnerability in PrestaHero ybc_blog module before v4.4.0 allows unauthenticated attackers to execute arbitrary SQL queries via the getPosts() method.
Vulnerability
An improper neutralization of SQL parameters (CWE-89) exists in the PrestaHero (ETS Soft) ybc_blog module for PrestaShop, affecting versions up to and including 3.3.8 [1]. The vulnerability resides in the method Ybc_blogBlogModuleFrontController::getPosts(), which can be triggered by a trivial HTTP call from a guest user without authentication [1]. The module's friendly URL feature and use of Tools::getValue() contribute to the injection point [1].
Exploitation
An attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable front controller, injecting SQL parameters into the query. No authentication or user interaction is required, and the attack complexity is low [1]. The exploit uses a PrestaShop front controller path that may be concealed, so conventional frontend logs typically show only "POST /" without revealing the malicious payload [1].
Impact
Successful exploitation allows an attacker to perform arbitrary SQL queries against the database. This can lead to obtaining admin access, removing data, exposing sensitive tokens from tables, rewriting SMTP settings to hijack emails, and compromising the confidentiality, integrity, and availability of the PrestaShop instance with a CVSS base score of 9.8 (critical) [1].
Mitigation
The fixed version is 4.4.0, released by PrestaHero (ETS Soft) [1]. Users should upgrade the module to version 4.4.0 or later immediately. There is no known KEV listing for this CVE. Administrators can also consider activating the AuditEngine of mod_security or similar Web Application Firewalls to detect and log exploit attempts [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- ETS Soft/ybc_blogdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `getPosts()` method in the `Ybc_blogBlogModuleFrontController` class improperly neutralizes SQL parameters, allowing for SQL injection."
Attack vector
An unauthenticated guest user can exploit this vulnerability by sending a crafted HTTP request to the `Ybc_blogBlogModuleFrontController::getPosts()` method. The request can include malicious SQL code within the 'tag' parameter, which is then incorporated into a SQL query without proper sanitization. This allows an attacker to execute arbitrary SQL commands on the database [ref_id=1].
Affected code
The vulnerability resides in the `Ybc_blogBlogModuleFrontController::getPosts()` method within the `modules/ybc_blog/controllers/front/blog.php` file. The specific lines of code involved in processing the 'tag' parameter and constructing the SQL query are targeted by the fix [ref_id=1].
What the fix does
The patch modifies the `Ybc_blogBlogModuleFrontController::getPosts()` method to correctly validate the 'tag' parameter. Previously, the `Validate::isCleanHtml()` check was insufficient against SQL injection. The updated code ensures that the 'tag' parameter is properly handled, preventing the injection of malicious SQL code and thus mitigating the SQL injection vulnerability [ref_id=1].
Preconditions
- inputThe 'tag' parameter must be provided with malicious SQL code.
- networkThe vulnerable module must be installed and accessible.
- authNo authentication is required; a guest user can exploit this.
Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.