Software SQL Injection Flaw (CVE-2025-69633) - Patch Now

Patch now - CVE-2025-69633 is a critical SQL injection in PrestaShop Advanced Popup Creator versions 1.1.26 through 1.2.6 that grants unauthenticated attackers arbitrary database command execution, enabling data theft, admin account creation, and server compromise. Update to version 1.2.7 immediately.

Overview

A critical security vulnerability has been identified in the Advanced Popup Creator module for PrestaShop. This flaw allows an unauthenticated attacker to execute arbitrary commands directly on your website’s database, potentially leading to a complete compromise of the online store.

Vulnerability Details

In simple terms, this is a SQL Injection vulnerability. The module fails to properly check and sanitize user input in the fromController parameter. An attacker can craft a malicious request containing SQL code. When this request is processed, the malicious code is executed by the database, rather than being treated as simple data.

The vulnerable code is located in the getPopups() and updateVisits() functions within the classes/AdvancedPopup.php file. This affects module versions 1.1.26 through 1.2.6.

Potential Impact

The impact of this vulnerability is severe. A successful attack could allow a remote attacker to:

• Steal Sensitive Data: Extract all data from the PrestaShop database, including customer names, addresses, email addresses, and encrypted passwords.
• Modify or Destroy Data: Alter product information, pricing, orders, or delete entire database tables, causing significant business disruption.
• Gain Administrative Access: Manipulate database entries to create a new administrator account, granting full control over the PrestaShop back office.
• Install Malware: Use database functions to write malicious files to the server, potentially infecting customer browsers.

Remediation and Mitigation

Immediate action is required to protect your PrestaShop installation.

1. Primary Solution: Update the Module The module developer has released a patched version. You must upgrade the Advanced Popup Creator module to version 1.2.7 or later immediately. This is the only complete fix for the vulnerability.

• Navigate to your PrestaShop back office.
• Go to Modules > Module Manager.
• Locate “Advanced Popup Creator” and check its version.
• If it is version 1.2.6 or lower, update it via the marketplace or by uploading the new version manually.

2. Temporary Mitigation (If Update is Not Immediately Possible): If you cannot update instantly, you can disable the module as a temporary stopgap.

• In your PrestaShop back office, go to Modules > Module Manager.
• Find “Advanced Popup Creator” and click the toggle switch to disable it. Be aware this will remove any popup functionality from your site until the module is updated and re-enabled.

3. Recommended Actions After Patching:

• Audit Logs: Review your PrestaShop and server access logs for any suspicious activity prior to the patch, particularly looking for unusual requests to the popup controller.
• Monitor for Compromise: Be vigilant for signs of a breach, such as unknown admin users, altered content, or unexpected website behavior.
• Change Credentials: As a precaution, consider changing your database and PrestaShop admin passwords after applying the update.