CVE-2024-25843 is a critical SQL injection vulnerability identified in the 'Import/Update Bulk Product from any Csv/Excel File Pro' module (ba_importer) for PrestaShop, a widely used open-source e-commerce platform. The vulnerability exists in versions up to 1.1.28 of the module, allowing unauthenticated attackers to inject malicious SQL queries through the import functionality that processes CSV or Excel files. Because the module fails to properly sanitize or parameterize user-supplied input, attackers can manipulate SQL statements executed by the backend database. This can result in unauthorized data access, data manipulation, or even complete database compromise. The vulnerability requires no authentication or user interaction, making it highly exploitable remotely over the network. The CVSS v3.1 base score of 9.8 reflects the critical nature of this flaw, with attack vector being network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and full impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no public exploits have been reported yet, the ease of exploitation and potential damage make this a significant threat to any PrestaShop deployment using the affected module. The vulnerability is tracked under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).

The impact of CVE-2024-25843 is severe for organizations running PrestaShop e-commerce sites with the vulnerable module. Successful exploitation can lead to complete compromise of the underlying database, exposing sensitive customer data such as personal information, payment details, and order history. Attackers could modify or delete product listings, disrupt business operations, or implant malicious content. The integrity and availability of the e-commerce platform could be severely affected, resulting in financial losses, reputational damage, and regulatory compliance violations (e.g., GDPR). Since the vulnerability can be exploited remotely by unauthenticated users, the attack surface is broad, increasing the likelihood of automated scanning and exploitation attempts. This threat is particularly critical for online retailers relying on PrestaShop for their sales infrastructure, as it undermines trust and operational continuity.

To mitigate CVE-2024-25843, organizations should immediately upgrade the 'Import/Update Bulk Product from any Csv/Excel File Pro' module to a patched version once available from Buy Addons or the module vendor. Until a patch is released, restrict access to the import functionality by limiting network exposure, such as placing the PrestaShop admin interface behind VPNs or IP whitelisting. Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting the import endpoints. Conduct thorough input validation and sanitization on all CSV/Excel import data, ideally by disabling the vulnerable module if it is not essential. Monitor logs for suspicious database queries or failed injection attempts. Additionally, enforce least privilege principles on database accounts used by PrestaShop to minimize damage in case of exploitation. Regularly back up databases and test restoration procedures to recover quickly from potential data corruption or deletion.