CVE-2025-69633 Overview
A critical SQL Injection vulnerability has been identified in the Advanced Popup Creator (advancedpopupcreator) module for PrestaShop, affecting versions 1.1.26 through 1.2.6. This vulnerability allows remote unauthenticated attackers to execute arbitrary SQL queries through the fromController parameter in the popup controller. The parameter is passed unsanitized to SQL queries in classes/AdvancedPopup.php, specifically within the getPopups() and updateVisits() functions.
Critical Impact
Unauthenticated attackers can extract, modify, or delete sensitive database contents including customer data, credentials, and order information without any authentication requirements.
Affected Products
- Advanced Popup Creator (advancedpopupcreator) module for PrestaShop versions 1.1.26 through 1.2.6
- PrestaShop installations utilizing vulnerable versions of the Advanced Popup Creator module
- E-commerce platforms relying on this popup module for user engagement functionality
Discovery Timeline
- 2026-02-13 - CVE-2025-69633 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2025-69633
Vulnerability Analysis
This SQL Injection vulnerability (CWE-89) exists due to improper input validation in the Advanced Popup Creator module's popup controller. The vulnerable code path resides in classes/AdvancedPopup.php, where user-supplied input from the fromController parameter is directly concatenated into SQL queries without proper sanitization or parameterization.
The vulnerability is particularly severe because it requires no authentication, meaning any remote attacker can exploit it simply by crafting malicious HTTP requests. The affected functions, getPopups() and updateVisits(), process the unsanitized input in database operations, allowing attackers to manipulate query logic, extract data using UNION-based or blind injection techniques, or potentially gain write access to the database.
Root Cause
The root cause of this vulnerability is the failure to implement proper input sanitization and parameterized queries when handling user-supplied data. The fromController parameter is directly incorporated into SQL statements in the getPopups() and updateVisits() functions within classes/AdvancedPopup.php. This classic SQL Injection pattern occurs when developers trust user input and fail to use prepared statements or proper escaping mechanisms provided by the database abstraction layer.
Attack Vector
The attack vector is network-based, requiring no privileges or user interaction. An attacker can exploit this vulnerability by sending crafted HTTP requests to the vulnerable PrestaShop installation containing malicious SQL syntax in the fromController parameter.
The exploitation flow typically involves:
- Identifying a PrestaShop installation running a vulnerable version of Advanced Popup Creator
- Crafting requests to the popup controller endpoint with SQL injection payloads in the fromController parameter
- Extracting database contents through error-based, UNION-based, or blind SQL injection techniques
- Potentially escalating to data modification or deletion depending on database permissions
For detailed technical analysis of this vulnerability, refer to the Esokia CVE-2025-69633 Analysis.
Detection Methods for CVE-2025-69633
Indicators of Compromise
- Unusual SQL error messages appearing in application logs related to the popup controller
- Unexpected or malformed values in the fromController parameter in web server access logs
- Database query logs showing suspicious queries originating from the AdvancedPopup.php file
- Evidence of time-based delays or unusual response patterns suggesting blind SQL injection probing
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect SQL injection patterns in the fromController parameter
- Monitor HTTP access logs for requests to popup controller endpoints containing SQL syntax characters such as single quotes, UNION statements, or comment sequences
- Deploy database activity monitoring to identify anomalous queries from the PrestaShop application
- Use intrusion detection systems with signatures for common SQL injection attack patterns
Monitoring Recommendations
- Enable detailed logging on the PrestaShop application to capture all incoming request parameters
- Configure alerts for database errors or exceptions originating from the Advanced Popup Creator module
- Implement real-time monitoring of database query patterns to detect injection attempts
- Review web server logs regularly for reconnaissance activities targeting PrestaShop modules
How to Mitigate CVE-2025-69633
Immediate Actions Required
- Upgrade the Advanced Popup Creator module to version 1.2.7 or later immediately
- If immediate patching is not possible, temporarily disable or remove the Advanced Popup Creator module
- Implement WAF rules to block requests containing SQL injection patterns in the fromController parameter
- Audit database logs for any evidence of exploitation prior to patching
Patch Information
The vulnerability has been addressed in Advanced Popup Creator version 1.2.7. Administrators should upgrade to this version or later through the PrestaShop module management interface or by downloading directly from the official PrestaShop Addons marketplace. After upgrading, verify the installation by checking the module version in the PrestaShop back office.
Workarounds
- Disable the Advanced Popup Creator module entirely until the patch can be applied
- Implement server-level input filtering to sanitize the fromController parameter before it reaches the application
- Use a reverse proxy or WAF to block requests containing common SQL injection payloads targeting the popup controller
- Restrict access to the popup controller endpoints through IP whitelisting if business requirements permit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
