CVE-2023-45386
Description
PrestaShop extratabspro module up to 2.2.7 allows unauthenticated SQL injection via search functions, enabling full database compromise even if the module is disabled.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PrestaShop extratabspro module up to 2.2.7 allows unauthenticated SQL injection via search functions, enabling full database compromise even if the module is disabled.
Vulnerability
The extratabspro module for PrestaShop (versions up to and including 2.2.7) contains SQL injection vulnerabilities in the searchcategory(), searchproduct(), and searchmanufacturer() methods. These methods are reachable through the ajax_extratabspro.php endpoint without any authentication. Even if the module is disabled, the vulnerable code remains present and exploitable. The fix was released in version 2.2.8. [1]
Exploitation
An unauthenticated attacker can send specially crafted HTTP POST requests to the ajax_extratabspro.php script. The parameters search_feature, searchsupplier, search, and search_product are directly concatenated into SQL queries. A proof-of-concept demonstrates injecting a time-based payload (sleep(42)) via a simple curl command. No user interaction or special privileges are required. [1]
Impact
A successful SQL injection can lead to complete compromise of the PrestaShop database. Attackers could obtain administrator access, delete data, extract sensitive tokens to access admin AJAX scripts, or rewrite SMTP settings to hijack emails. This vulnerability is rated critical (CVSS 9.8) and is known to be actively exploited to deploy web skimmers that steal credit card information. [1]
Mitigation
The vulnerability is fixed in version 2.2.8 of the extratabspro module. Users should immediately update to this version. If upgrading is not possible, the module should be completely removed from the server. The module is no longer maintained if the vendor has not released a patch; however, a fix is available. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date. [1]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- MyPresta.eu/extratabsprodescription
- Range: <2.2.8
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in SQL queries within extratabspro::searchcategory(), extratabspro::searchproduct(), and extratabspro::searchmanufacturer() allows SQL injection."
Attack vector
An unauthenticated guest sends a crafted HTTP POST request to `/modules/extratabspro/ajax_extratabspro.php` with a malicious payload in parameters such as `search_feature`, `searchsupplier`, `search`, `search_product`, or `search_manufacturer` [ref_id=1]. The payload contains a SQL injection string that closes the intended query and executes arbitrary SQL commands [ref_id=1]. The attack requires no privileges, no user interaction, and can be performed over the network [ref_id=1]. The exploit works even if the module is not activated [ref_id=1].
Affected code
The vulnerable methods are `extratabspro::searchcategory()`, `extratabspro::searchproduct()`, and `extratabspro::searchmanufacturer()` in the extratabspro module for PrestaShop [ref_id=1]. The entry point is the file `/modules/extratabspro/ajax_extratabspro.php` which accepts POST parameters including `search_feature`, `searchsupplier`, `search`, `search_product`, and `search_manufacturer` [ref_id=1].
What the fix does
The advisory states that version 2.2.8 fixed the vulnerability, but no patch diff is provided in the bundle [ref_id=1]. The fix would involve properly sanitizing or parameterizing the SQL queries in the three affected methods (`searchcategory()`, `searchproduct()`, `searchmanufacturer()`) to prevent injection of user-supplied input [ref_id=1].
Preconditions
- networkAttacker must be able to send HTTP POST requests to the PrestaShop instance.
- authNo authentication required; a guest can perform the attack.
- inputAttacker crafts a POST parameter with a SQL injection payload.
Reproduction
curl -v -X POST -d 'search_feature=1";select(0x73656C65637420736C656570283432293B)INTO@a;prepare`b`from@a;execute`b`;--' 'https://preprod.X/modules/extratabspro/ajax_extratabspro.php'
curl -v -X POST -d 'searchsupplier=1";select(0x73656C65637420736C656570283432293B)INTO@a;prepare`b`from@a;execute`b`;--' 'https://preprod.X/modules/extratabspro/ajax_extratabspro.php'
curl -v -X POST -d 'search=1";select(0x73656C65637420736C656570283432293B)INTO@a;prepare`b`from@a;execute`b`;--' 'https://preprod.X/modules/extratabspro/ajax_extratabspro.php'
curl -v -X POST -d 'search_product=1";select(0x73656C65637420736C656570283432293B)INTO@a;prepare`b`from@a;execute`b`;--' 'https://preprod.X/modules/extratabspro/ajax_extratabspro.php'
curl -v -X POST -d 'search_manufacturer=1";select(0x73656C65637420736C656570283432293B)INTO@a;prepare`b`from@a;execute`b`;--' 'https://preprod.X/modules/extratabspro/ajax_extratabspro.php'
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.