CVE-2023-50028 is a critical SQL injection vulnerability identified in the "Sliding cart block" (blockslidingcart) module up to version 2.3.8, developed by PrestashopModules.eu for the PrestaShop e-commerce platform. This vulnerability allows an unauthenticated attacker (guest user) to inject malicious SQL queries directly into the backend database. The vulnerability is classified under CWE-89, which pertains to improper neutralization of special elements used in an SQL command ('SQL Injection'). The CVSS v3.1 base score of 9.8 indicates a critical severity level, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H highlighting that the attack can be performed remotely over the network without any privileges or user interaction, and can lead to complete compromise of confidentiality, integrity, and availability of the affected system. Exploitation of this vulnerability could allow attackers to extract sensitive customer data, modify or delete database records, or even execute administrative commands on the underlying database server. Since the module is a component of PrestaShop, a widely used open-source e-commerce platform, the vulnerability poses a significant risk to online stores using this module. No official patches or fixes are currently linked, and no known exploits in the wild have been reported yet, but the ease of exploitation and critical impact make it a high priority for remediation.

For European organizations operating e-commerce platforms based on PrestaShop, especially those utilizing the Sliding cart block module, this vulnerability represents a severe threat. Successful exploitation could lead to unauthorized access to customer personal and payment data, resulting in data breaches subject to GDPR penalties. The integrity of order and inventory data could be compromised, disrupting business operations and causing financial losses. Availability impacts could manifest as denial of service or corrupted database states, affecting customer experience and revenue. The reputational damage from such breaches can be substantial, undermining customer trust. Given the criticality and remote exploitability without authentication, attackers could target multiple European online retailers indiscriminately or as part of targeted campaigns. The lack of user interaction needed further increases the risk of automated exploitation attempts.

Immediate mitigation steps include disabling or removing the Sliding cart block module until a security patch is released. Organizations should monitor official PrestashopModules.eu channels for updates or security advisories. Applying web application firewall (WAF) rules to detect and block SQL injection patterns targeting the module’s endpoints can provide temporary protection. Conduct thorough code reviews and input validation enhancements on all user-supplied data fields related to the module. Employ database least privilege principles to limit the impact of potential SQL injection. Regularly back up databases and test restoration procedures to minimize downtime in case of exploitation. Additionally, implement monitoring and alerting for unusual database queries or access patterns. Organizations should also prepare incident response plans specific to e-commerce data breaches and ensure compliance with GDPR notification requirements.