Recently, PrestaShop online stores have been targeted by attacks exploiting SQL Injection and XSS (Cross-Site Scripting) vulnerabilities. Hackers use third-party modules with vulnerabilities to inject malicious code into the database or templates, which can lead to the theft of customers' confidential information.
What Are These Attacks? 🔍
SQL Injection is a hacking method where attackers inject malicious SQL queries into input fields to gain access to or modify data. In this case, attackers use vulnerable modules to inject scripts into the store's configuration parameters, such as PS_SHOP_NAME.
XSS (Cross-Site Scripting) allows attackers to inject malicious JavaScript code through module templates using the nofilter tag. This can result in script execution directly in the client's browser.
How to Check if Your Store is Affected?
-
Open the database via phpMyAdmin or a similar tool.
-
Find the
ps_configurationtable. -
Check the PS_SHOP_NAME value — if there are unknown scripts or suspicious code, your store may be compromised.
-
Inspect your templates for the
{nofilter}tag, which allows XSS code injection.
If you find malicious code, contact us — we are always ready to help! For many years, we have been monitoring the security of PrestaShop stores and helping to solve such issues.
Vulnerability Source
Vulnerabilities originate from third-party modules that were not updated in time. It is essential to regularly update all modules, even if they were patched long ago. The latest versions of the PrestaShop core (1.7.8+) are not affected by these attacks if only up-to-date modules are used.
Updating the ps_contactinfo Module 🛠️
PrestaShop has released an updated version of the ps_contactinfo module, which fixes potential vulnerabilities. If you are using PrestaShop version 1.7.2 or higher, be sure to update the module via the admin panel.
It is also important to make a manual code fix:
Replace the line:
'formatted' => AddressFormat::generateAddress($address, [], '<br />'),
with:
'formatted' => Validate::isCleanHtml($formattedAddress) ? $formattedAddress : '',
You can check the main module file ps_contactinfo.php to ensure the presence of this line and apply the necessary fix.
How to Protect Your Store 💪
-
Always update the PrestaShop core and all modules.
-
Use custom prefixes for the database.
-
Set up a Web Application Firewall (WAF) to block malicious requests.
-
Regularly back up data.
-
Follow security news in official PrestaShop communities.
Check Your Modules 🔑
We recommend checking all installed modules for available updates, especially those that work with forms, user data, or templates.
The security of an online store is the key to your customers' trust. Regular updates, following recommendations, and timely inspections help minimize risks and protect data. Keep your store up to date and follow PrestaShop security news!
