The open source e-commerce platform PrestaShop has released a new version that fixes a critical severity vulnerability that allows any user in the back office to write, update or delete SQL databases, regardless of their permissions.

Back office users are those who have access to the administrative interface of the website, including the owner, administrators, sales representatives, customer support agents, order processors, data entry personnel and others.

Each user’s permissions are set so that they are only allowed to access the information and features necessary for their role, which is a crucial security feature of PrestaShop.

Tracked as CVE-2023-30839the reviewer (CVSS v3.1 score: 9.9) allows any user, regardless of permissions, to make unauthorized changes to the online store’s database, which may cause significant damage or an interruption of service to the companies concerned.

The flaw, which has no mitigation, impacts all installations of PrestaShop from version 8.0.3 and earlier.

Although the requirement to have a user account on the vulnerable site mitigates the vulnerability somewhat, since online stores often employ large teams to process orders, the flaw introduces a risk of allowing rogue or disgruntled employees to cause damage.

Moreover, it opens up a larger attack surface for hackers, who can now compromise any user account on PrestaShop-based e-commerce sites and potentially inject malicious code and backdoors or access the SQL database.

Backdoor injections via website databases are a stealth attack tactic Sucuri recently reported is gaining traction in the wild, primarily targeting WordPress sites.

The software company solved it with the release of versions 8.0.4 and 1.7.8.9, released yesterday, which all PrestaShop website owners are advised to upgrade to as soon as possible.

The open-source e-commerce platform also patched two other vulnerabilities in its latest release, namely CVE-2023-30535 (CVSS v3.1: 7.7, “high”) and CVE-2023-30838 (CVSS v3.1: 8.0, “high”).

The first is an arbitrary file reading problem allowing unauthorized users to access critical information. The second is an XSS injection issue that can hijack every HTML element on the site and fire without interaction.

It is crucial to apply available security updates as soon as possible as hackers are always on the lookout for vulnerabilities in major platforms like PrestaShop.

In July 2022, the e-commerce solution editor urgently notified its users that hackers have targeted the platform by exploiting a zero-day vulnerability to perform SQL injections on PrestaShop-based sites.