On May 22, 2025, a critical vulnerability affecting the popular AP Page Builder module for PrestaShop was disclosed on security.friendsofpresta.org. Identified as CVE-2024-6648, the issue scored 8.7 on the CVSS scale, making it a serious risk for thousands of PrestaShop stores.
What’s the vulnerability?
This is an Absolute Path Traversal vulnerability (CWE-36), which allows an attacker to request arbitrary files from the server.
In versions prior to 4.0.0, the module improperly handles a config parameter in Base64 format sent to apajax.php. By manipulating this payload, an unauthenticated attacker can read any file that the PHP process has access to — including sensitive configuration and system files.
How does the attack work?
The attacker sends a crafted GET request to the apajax.php file with a Base64-encoded config parameter. Within this payload, the attacker modifies the product_item_path value to specify a file to read.
Example attack request:
Decoded JSON payload:
⚠️ Important: Attackers can obfuscate the Base64 string using special characters (e.g., Li4$vLi4-vY#...) to bypass firewalls. PHP’s base64_decode() silently ignores these characters, making detection harder.
Proof of Concept
A working proof of concept was published by n0d0n on GitHub:
👉 github.com/n0d0n/CVE-2024-6648
Who is affected?
-
All PrestaShop stores using AP Page Builder < 4.0.0
-
Over 2,000 themes across various marketplaces include this module
If you use themes by Apollo Theme or marketplaces that bundle Page Builder features, you are likely at risk.
How to protect your store
-
Update AP Page Builder to version 4.0.0 or higher immediately.
-
If you use ModSecurity, prefer
base64DecodeExtoverbase64Decode. -
Inspect server logs for unusual requests to
apajax.phpwithconfigparameters. -
Review your file permission settings.
-
Consider using a WAF or security module with detection rules for path traversal.
Timeline
| Date | Event |
|---|---|
| 2024-07-15 | Vulnerability reported to the developer by Incibe |
| 2024-08-16 | Developer requested a 1-year disclosure delay |
| 2024-10-16 | 9-month delay agreed |
| 2025-05-08 | Public disclosure and PoC released |
If your store uses the AP Page Builder module, this is a must-fix issue. CVE-2024-6648 allows anyone on the internet to access sensitive files, potentially leading to full compromise of your shop.
Check if you have the module by looking for modules/appagebuilder/ in your PrestaShop directory, and update now.
Need help securing your store? Leave a comment or reach out — your store's security is too important to leave to chance.
