CVE-2024-34993

The module "Bulk Export products to Google Merchant-Google Shopping" (bagoogleshopping) from Buy Addons for PrestaShop, in versions up to 1.0.26, contains an SQL injection vulnerability in the method GenerateCategories::renderCategories(). The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) [1].

The attack vector is network-based, requires low complexity, and no privileges or user interaction. An unauthenticated guest can forge a malicious HTTP call to trigger the SQL injection. The vulnerability is present because the module does not properly sanitize input before constructing SQL queries [1].

Successful exploitation can lead to severe impacts: obtaining admin access, copying or stealing sensitive data from database tables (such as tokens that can unlock admin AJAX scripts), redirecting emails by rewriting SMTP settings, or full compromise of the associated PrestaShop instance. The CVSS v3.1 base score is 9.8 (Critical), reflecting high impact on confidentiality, integrity, and availability [1].

The module author released version 1.0.26 to fix the vulnerability. Upgrading to the latest version is strongly recommended. Additionally, upgrading the PrestaShop platform itself can disable multiquery executions, reducing the risk of certain SQL injection attacks, though UNION-based attacks may still be possible. Users should ensure the module is updated and consider general hardening measures [1].