PrestaShop's Facebook Plugin Vulnerability Exposed, Attackers Already Exploiting It to Steal Credit

Recently, a major security vulnerability in pkfacebook, a Facebook plugin for the PrestaShop e-commerce platform, has been exposed. The vulnerability, identified as CVE-2024-36680, has been confirmed by the e-commerce platform technical community Friends Of Presta, who also pointed out that attackers have already exploited this vulnerability for malicious activities.

It is reported that pkfacebook is a paid plugin that allows users to interact with the e-commerce platform through their Facebook accounts, including leaving comments and communicating with customer service via Messenger. However, an Ajax script named facebookConnect.php in the plugin contains sensitive SQL call functions, making it possible for attackers to launch SQL injection attacks.

The Friends Of Presta community warns that the CVSS risk score for this vulnerability is as high as 9.8, indicating its severity. All versions before 1.0.1 are affected. More concerning is that this vulnerability has been actively exploited by attackers to implant skimming tools on e-commerce platforms, stealing credit card information on a large scale.

Since the pkfacebook plugin is sold by Promokit.eu, it is currently unclear how many e-commerce platforms have used this plugin, and thus the scope of the vulnerability's impact cannot be determined. This increases potential risks and uncertainties.

Cloud security company TouchWeb reported this vulnerability at the end of March. However, when researchers contacted the developer, Promokit.eu, they indicated that they were not aware of the issue and failed to provide information about the affected versions or the latest version for researchers to verify the patch status.

Facing this severe security threat, Friends Of Presta urges all website administrators using this plugin to take immediate action. Recommended measures include upgrading to the latest version of pkfacebook and enabling specific rules in the Web Application Firewall (WAF) to prevent potential attacks.

This incident reminds us again that there is no small matter in cyber security. E-commerce platforms and website administrators need to remain vigilant, update and patch security vulnerabilities in a timely manner to ensure the security and privacy of user data.