CVE-2023-44024
Description
SQL injection in KnowBand SuperCheckout PrestaShop module ≤v8.0.3 allows unauthenticated remote attackers to execute arbitrary SQL queries via crafted requests to updateCheckoutBehaviour().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in KnowBand SuperCheckout PrestaShop module ≤v8.0.3 allows unauthenticated remote attackers to execute arbitrary SQL queries via crafted requests to updateCheckoutBehaviour().
Vulnerability
An SQL injection vulnerability exists in the KnowBand Module One Page Checkout, Social Login & Mailchimp (supercheckout) for PrestaShop up to and including version 8.0.3. The flaw resides in the SupercheckoutSupercheckoutModuleFrontController::updateCheckoutBehaviour() function in /controllers/front/supercheckout.php. An unauthenticated remote attacker can send a crafted HTTP POST request to the front controller, injecting malicious SQL parameters that are not properly neutralized, leading to arbitrary SQL execution. The vulnerability is classified as CWE-89 with a CVSS v3 base score of 9.8 (critical) [1].
Exploitation
An attacker needs only network access to the PrestaShop instance; no authentication or user interaction is required. The exploit is performed via a simple HTTP call targeting the module's front controller path. Attackers often conceal the controller path during the exploit, making it appear as a generic POST / request in conventional frontend logs. The attack can be carried out by any anonymous user. The official advisory warns that this vulnerability is actively exploited in the wild to deploy a web skimmer aimed at stealing credit card data [1].
Impact
Successful exploitation allows the attacker to execute arbitrary SQL queries against the PrestaShop database. This can lead to total compromise of the shop: reading sensitive data (customer info, credit card details), deleting data, modifying SMTP settings to hijack emails, exposing admin tokens, and gaining admin access. The impact on confidentiality, integrity, and availability is rated as high. Attackers have been observed using this vulnerability to install persistent credit card skimmers [1].
Mitigation
The vulnerability is fixed in version 8.0.4 of the module, released on 2023-10-05. Users are strongly advised to upgrade to 8.0.4 immediately. No workarounds are provided; the vendor recommendation is to update. Additionally, enabling the AuditEngine of mod_security (or similar WAF) can help detect exploitation attempts. The module should not be used on end-of-life PrestaShop versions. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- KnowBand/One Page Checkout, Social Login & Mailchimpdescription
- Range: <=8.0.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Synthesis attempt was rejected by the grounding validator. Re-run pending.
References
1News mentions
0No linked articles in our index yet.