CVE-2024-25845 identifies a critical SQL injection vulnerability in the 'CD Custom Fields 4 Orders' module (cdcustomfields4orders) version 1.0.0 and earlier, developed by Cleanpresta.com for the PrestaShop e-commerce platform. The vulnerability arises due to improper sanitization of user-supplied input in the module's handling of custom order fields, allowing unauthenticated guest users to inject malicious SQL queries directly into the backend database. This flaw is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The vulnerability requires no authentication (PR:N), no user interaction (UI:N), and can be exploited remotely over the network (AV:N). The scope is unchanged (S:U), meaning the impact is confined to the vulnerable component but can affect the entire database. The CVSS v3.1 base score is 9.8, indicating critical severity with high impact on confidentiality, integrity, and availability. Exploiting this vulnerability could allow attackers to extract sensitive customer data, modify order information, delete records, or escalate privileges within the e-commerce system. Although no official patches or fixes have been released yet, the risk is significant given the ease of exploitation and the critical nature of the data involved. PrestaShop merchants using this module should urgently assess their exposure and implement mitigations.

The impact of CVE-2024-25845 is severe for organizations running PrestaShop with the vulnerable 'CD Custom Fields 4 Orders' module. Attackers can exploit this vulnerability to perform unauthorized SQL queries, potentially leading to full database compromise. This includes theft of sensitive customer data such as personal information, payment details, and order histories, which can result in financial loss, reputational damage, and regulatory penalties. Data integrity may be compromised by unauthorized modification or deletion of orders and customer records, disrupting business operations and trust. Availability could also be affected if attackers execute destructive queries or cause database corruption, leading to downtime and loss of sales. Since exploitation requires no authentication or user interaction, the attack surface is broad, increasing the likelihood of automated attacks and mass exploitation attempts. Organizations without timely mitigation may face significant operational and legal consequences.

To mitigate CVE-2024-25845, organizations should first verify if the 'CD Custom Fields 4 Orders' module version 1.0.0 or earlier is installed on their PrestaShop platform. If so, immediate steps include: 1) Temporarily disabling or uninstalling the vulnerable module until a vendor patch is available; 2) Implementing Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting the module's endpoints; 3) Applying strict input validation and sanitization on all user-supplied data related to custom order fields, ideally using parameterized queries or prepared statements; 4) Monitoring database logs and application logs for unusual or suspicious SQL queries indicative of exploitation attempts; 5) Restricting database user privileges to the minimum necessary to limit damage in case of compromise; 6) Keeping PrestaShop and all modules updated and subscribing to vendor security advisories for timely patch releases; 7) Conducting security audits and penetration tests focusing on SQL injection vulnerabilities in custom modules. These measures will reduce the risk until an official patch is released.