CVE-2023-50027 is a critical SQL Injection vulnerability affecting the Buy Addons baproductzoommagnifier module used in PrestaShop versions 1.0.16 and earlier. The vulnerability exists in the BaproductzoommagnifierZoomModuleFrontController::run() method, which does not properly sanitize user input before incorporating it into SQL queries. This flaw allows remote attackers to execute arbitrary SQL commands on the backend database without requiring authentication or user interaction. Exploiting this vulnerability can lead to privilege escalation, enabling attackers to gain unauthorized access to sensitive information such as customer data, payment details, or administrative credentials. The vulnerability is rated with a CVSS 3.1 score of 9.8, indicating a critical severity level due to its network attack vector, low attack complexity, no privileges required, and no user interaction needed. The impact on confidentiality, integrity, and availability is high, as attackers can manipulate database contents, extract sensitive data, or disrupt service availability. Although no public exploits are currently known, the high severity and ease of exploitation make this a significant threat to any PrestaShop installations using the affected module version.

For European organizations, especially those operating e-commerce platforms using PrestaShop with the vulnerable baproductzoommagnifier module, this vulnerability poses a severe risk. Exploitation could lead to data breaches involving personal customer information protected under GDPR, resulting in legal penalties and reputational damage. Financial data exposure could lead to fraud and financial loss. The ability to escalate privileges may allow attackers to take over administrative functions, potentially leading to website defacement, insertion of malicious code, or complete service disruption. Given the widespread use of PrestaShop among small and medium-sized enterprises in Europe, the threat could impact a broad range of businesses, from retail to services, undermining customer trust and operational continuity.

Immediate mitigation steps include upgrading the baproductzoommagnifier module to a patched version once available from the vendor or disabling the module if an update is not yet released. In the interim, organizations should implement Web Application Firewall (WAF) rules specifically designed to detect and block SQL injection attempts targeting the vulnerable module's endpoints. Conduct thorough input validation and sanitization on all user inputs, especially those interacting with the module. Regularly audit database access logs for suspicious queries indicative of exploitation attempts. Employ database user accounts with the least privileges necessary to limit the impact of any successful injection. Additionally, organizations should monitor threat intelligence feeds for any emerging exploits and apply security patches promptly. Conduct penetration testing focused on SQL injection vectors to identify any residual vulnerabilities.