CVE-2024-25848
Description
A guest can perform SQL injection in the Ever Ultimate SEO module for PrestaShop ≤8.1.2 via vulnerable SQL calls in hookHeader().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A guest can perform SQL injection in the Ever Ultimate SEO module for PrestaShop ≤8.1.2 via vulnerable SQL calls in hookHeader().
Vulnerability
The EverPsSeo module's hookHeader() method contains SQL injection vulnerabilities due to improper neutralization of the $controller_name parameter before use in SQL queries. The vulnerability affects versions ≤8.1.2 for PrestaShop 1.7+ and ≤7.13.4 for PrestaShop 1.6. The method is hooked on all pages, making it easily reachable without special conditions [1].
Exploitation
An attacker can exploit this by sending a crafted HTTP request to any page, injecting SQL commands via the page parameter. No authentication or user interaction is required. The attack vector is network, complexity low. The exploit can be concealed in standard frontend logs, appearing as a simple POST request [1].
Impact
Successful exploitation allows an attacker to obtain admin access, delete data from the associated PrestaShop, extract sensitive information (e.g., tokens), or rewrite SMTP settings to hijack emails. This leads to complete compromise of confidentiality, integrity, and availability with a CVSS score of 9.8 (critical) [1].
Mitigation
Fixed versions are 8.1.3 for PrestaShop 1.7+ and 7.13.5 for PrestaShop 1.6, released around the advisory date (March 2024). The fix uses pSQL() instead of direct string concatenation. If upgrading is not possible, enabling mod_security or similar WAF can help detect attacks, but upgrading is strongly recommended [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Team Ever/Ever Ultimate SEOdescription
- Range: <=8.1.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The EverPsSeo::hookHeader() method improperly neutralizes SQL parameters, allowing for SQL injection."
Attack vector
A guest user can trigger the vulnerability by sending a crafted HTTP call to the vulnerable endpoint. This exploit leverages a PrestaShop hook that is active on all pages, making it difficult to detect in conventional frontend logs, which would only show a generic POST request. Attackers can exploit this to gain administrative access, delete data, or expose sensitive information [ref_id=1].
Affected code
The vulnerability resides in the `hookHeader()` method within the `everpsseo.php` file of the Ever Ultimate SEO module. Specifically, the SQL queries that construct the `FROM '._DB_PREFIX_.'meta` clause are affected.
What the fix does
The patch addresses the vulnerability by replacing direct string concatenation with the pSQL() function when building SQL queries in the EverPsSeo::hookHeader() method. This function properly escapes special characters in user-supplied input, preventing malicious SQL code from being injected into the database queries [ref_id=1].
Preconditions
- authThe vulnerability can be exploited by a guest user, meaning no authentication is required.
- inputThe attack requires sending a crafted HTTP call with malicious SQL parameters.
Generated on Jun 7, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.