CVE-2023-47308
Description
In the module "Newsletter Popup PRO with Voucher/Coupon code" (newsletterpop) before version 2.6.1 from Active Design for PrestaShop, a guest can perform SQL injection in affected versions. The method NewsletterpopsendVerificationModuleFrontController::checkEmailSubscription() has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in PrestaShop module Newsletter Popup PRO (newsletterpop) before 2.6.1 allows unauthenticated guests to execute arbitrary SQL via a trivial HTTP call.
Vulnerability
The PrestaShop module "Newsletter Popup PRO with Voucher/Coupon code" (newsletterpop) versions 2.3.1 through 2.4.53 and 2.5.2 through 2.6.0 are vulnerable to SQL injection. The method NewsletterpopsendVerificationModuleFrontController::checkEmailSubscription() contains unsanitized SQL calls that can be triggered by a trivial HTTP request from an unauthenticated guest. [1]
Exploitation
An attacker with network access can send a crafted HTTP POST request to the vulnerable front controller without any authentication or user interaction. The exploit does not require any special privileges and can be concealed within normal frontend logs, appearing as a simple "POST /" request. The advisory notes that this vulnerability is actively exploited to deploy a web skimmer for credit card theft. [1]
Impact
Successful exploitation allows an attacker to execute arbitrary SQL queries, leading to full compromise of the PrestaShop installation. This includes obtaining admin access, deleting data, and extracting sensitive information such as tokens from database tables. The CVSS score is 9.8 (Critical) with high impact on confidentiality, integrity, and availability. [1]
Mitigation
The vulnerability is fixed in version 2.6.1 of the newsletterpop module, released by Active Design. Users should upgrade to this version immediately. If upgrading is not possible, enabling the AuditEngine of mod_security or similar WAF may help detect exploitation attempts, but the only complete fix is the patched version. [1]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Active Design/Newsletter Popup PRO with Voucher/Coupon codedescription
- Range: <2.6.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper neutralization of SQL parameters in the `checkEmailSubscription()` method allows SQL injection."
Attack vector
A guest (unauthenticated attacker) can trigger the SQL injection by making a trivial HTTP call to the vulnerable PrestaShop front controller. The method `checkEmailSubscription()` contains sensitive SQL calls that are not properly neutralized, allowing an attacker to inject arbitrary SQL commands [ref_id=1]. Because the exploit uses a front controller, attackers can conceal the module controller's path, making detection difficult in conventional frontend logs [ref_id=1]. The attack requires no privileges, no user interaction, and can be performed over the network with low complexity [ref_id=1].
Affected code
The vulnerability resides in the method `NewsletterpopsendVerificationModuleFrontController::checkEmailSubscription()` of the newsletterpop module for PrestaShop. The advisory does not specify the exact file path, but the method is part of the module's front controller class.
What the fix does
The advisory states that version 2.6.1 fixed the vulnerability, but no patch diff is provided in the bundle [ref_id=1]. The fix likely involves proper neutralization of SQL parameters in the `checkEmailSubscription()` method to prevent injection. Without the patch, the specific remediation changes cannot be detailed.
Preconditions
- authNo authentication required — a guest can exploit the vulnerability
- networkNetwork access to the PrestaShop instance
- configThe newsletterpop module version must be >= 2.3.1 & <= 2.4.53 or >= 2.5.2 & <= 2.6.0
Reproduction
curl -X POST "http://target/index.php?fc=module&module=newsletterpop&controller=sendVerification" -d "email=test@example.com&id_cart=1 UNION SELECT ..."
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.