CVE-2024-25848 identifies an SQL injection vulnerability in the Ever Ultimate SEO module (everpsseo) for PrestaShop, specifically in versions up to and including 8.1.2. SQL injection (CWE-89) occurs when untrusted input is improperly sanitized and directly incorporated into SQL queries, allowing attackers to manipulate database commands. In this case, a guest (unauthenticated user) can exploit the vulnerability without any user interaction, but the attack vector is local (AV:L), meaning the attacker must have some level of access to the system or network where the PrestaShop instance is hosted. The vulnerability impacts confidentiality, integrity, and availability by enabling unauthorized data access, modification, or deletion. The CVSS v3.1 score is 5.9, reflecting medium severity due to the local attack vector and limited scope. No public exploits have been reported yet, but the risk remains significant for e-commerce platforms relying on this module. The lack of a patch link indicates that a fix may not yet be publicly available, increasing the urgency for defensive measures. The vulnerability highlights the importance of secure coding practices, especially input validation and use of parameterized queries in modules handling user input.

The SQL injection vulnerability can lead to unauthorized disclosure of sensitive customer and business data stored in the PrestaShop database, including personal information, order details, and potentially payment data if stored insecurely. Attackers could also alter or delete critical data, disrupting e-commerce operations and damaging business reputation. The availability of the platform could be affected if attackers execute destructive queries or cause database corruption. Since the vulnerability can be exploited by unauthenticated guests, the attack surface is broad within the local network or hosting environment. Organizations using the affected module risk data breaches, regulatory non-compliance (e.g., GDPR), financial losses, and erosion of customer trust. The absence of known exploits currently reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits once the vulnerability details are publicized.

1. Monitor the Ever Ultimate SEO module vendor’s official channels for patches and apply updates promptly once available. 2. Until a patch is released, implement strict input validation and sanitization on all user-supplied data fields related to the SEO module to prevent malicious SQL code injection. 3. Employ parameterized queries or prepared statements in the module’s database interactions to eliminate direct concatenation of user input into SQL commands. 4. Restrict local network access to the PrestaShop server to trusted users and systems only, minimizing the risk of local exploitation. 5. Conduct regular security audits and code reviews of third-party modules before deployment. 6. Enable database activity monitoring and anomaly detection to identify suspicious queries indicative of SQL injection attempts. 7. Maintain comprehensive backups of the database to enable recovery in case of data corruption or loss. 8. Consider deploying Web Application Firewalls (WAFs) with SQL injection detection rules tailored to PrestaShop environments as an additional protective layer.