CVE-2022-31101 is a medium-severity SQL Injection vulnerability identified in the PrestaShop extension 'blockwishlist', which is used to display customer wishlists on e-commerce sites powered by PrestaShop. The vulnerability affects versions from 2.0.0 up to but not including 2.1.1. It arises due to improper neutralization of special elements in SQL commands (CWE-89), allowing an authenticated customer to inject malicious SQL code through the wishlist functionality. This can lead to unauthorized database queries, potentially exposing or manipulating sensitive data such as customer information, order details, or administrative data. Exploitation requires authentication, meaning an attacker must have a valid customer account on the affected PrestaShop site. There are no known workarounds, and the issue is resolved by upgrading to version 2.1.1 or later. No public exploits have been reported in the wild as of the publication date (June 27, 2022). The vulnerability is significant because SQL Injection can compromise confidentiality, integrity, and availability of the backend database, potentially leading to data breaches, data loss, or site defacement. However, the requirement for authentication and the lack of known exploits reduce the immediate risk. The vulnerability is specific to the blockwishlist module, so only PrestaShop installations using this extension and running vulnerable versions are affected.

For European organizations using PrestaShop e-commerce platforms with the vulnerable blockwishlist extension, this vulnerability poses a risk of unauthorized data access and manipulation. Attackers with customer accounts could exploit the flaw to extract sensitive customer data, alter order records, or escalate privileges if combined with other vulnerabilities. This could lead to data breaches impacting customer privacy, regulatory non-compliance (e.g., GDPR violations), financial losses, and reputational damage. The impact is particularly critical for retail and e-commerce businesses that rely on PrestaShop for online sales, as compromised customer trust can have long-term consequences. Additionally, manipulation of order or wishlist data could disrupt business operations and inventory management. Since exploitation requires authentication, the threat is somewhat mitigated by the need for attacker registration or account compromise. However, insider threats or automated account creation could increase risk. The absence of known exploits suggests limited active targeting, but the vulnerability remains a latent risk until patched.

1. Immediate upgrade of the blockwishlist extension to version 2.1.1 or later is the primary and only effective mitigation. 2. Implement strict input validation and parameterized queries in custom or legacy PrestaShop modules to prevent SQL injection. 3. Enforce strong customer authentication policies, including multi-factor authentication (MFA), to reduce the risk of attacker account creation or takeover. 4. Monitor database logs and application logs for unusual query patterns or suspicious activity related to wishlist functionality. 5. Limit database user privileges associated with the PrestaShop application to minimize potential damage from SQL injection. 6. Conduct regular security audits and code reviews of PrestaShop extensions, especially those handling user input. 7. Educate development and operations teams about secure coding practices and the importance of timely patching. 8. Consider implementing Web Application Firewalls (WAF) with rules to detect and block SQL injection attempts targeting the wishlist endpoints.