CVE-2024-36678 is a critical SQL injection vulnerability identified in the 'Theme settings' module (pk_themesettings) version 1.8.8 and earlier, developed by Promokit.eu for the PrestaShop e-commerce platform. The vulnerability resides in the ajax.php script, which contains a sensitive SQL query that can be manipulated by an unauthenticated attacker through a crafted HTTP request. This injection flaw allows attackers to execute arbitrary SQL commands on the backend database, potentially leading to unauthorized data disclosure, data modification, or complete database destruction. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The exploit requires no privileges or user interaction and can be triggered remotely, making it highly dangerous. The CVSS v3.1 base score of 9.8 reflects the vulnerability's high impact on confidentiality, integrity, and availability, combined with its ease of exploitation over the network. No patches or official fixes have been published at the time of disclosure, and no known exploits are currently in the wild, but the risk remains significant for affected systems.

The impact of CVE-2024-36678 on organizations using the vulnerable PrestaShop module is severe. Exploitation can lead to full compromise of the underlying database, exposing sensitive customer data such as personal information, payment details, and order histories. Attackers could also modify or delete critical data, disrupt e-commerce operations, or implant persistent backdoors for further exploitation. Given the unauthenticated nature of the vulnerability, any external attacker can exploit it remotely without prior access, increasing the attack surface significantly. This can result in financial losses, reputational damage, regulatory penalties, and loss of customer trust. Organizations relying on PrestaShop with this module should consider the vulnerability a critical threat to their e-commerce infrastructure and data security.

To mitigate CVE-2024-36678, organizations should immediately audit their PrestaShop installations for the presence of the vulnerable 'Theme settings' module (pk_themesettings) version 1.8.8 or earlier. If possible, disable or remove the module until a patch is available. Since no official patch is currently published, organizations should implement web application firewall (WAF) rules to detect and block suspicious SQL injection patterns targeting ajax.php requests. Employ strict input validation and parameterized queries if custom modifications are feasible. Monitor web server logs for unusual or malformed HTTP requests to ajax.php. Additionally, restrict access to ajax.php via IP whitelisting or authentication mechanisms where possible. Regularly back up databases and test restoration procedures to minimize damage in case of exploitation. Stay updated with Promokit.eu and PrestaShop advisories for official patches or updates.