CVE-2025-69633 is a high-severity SQL Injection vulnerability affecting the Advanced Popup Creator module for PrestaShop versions 1.1.26 through 1.2.6. The vulnerability arises because the fromController parameter, received via the popup controller, is passed directly into SQL queries within the getPopups() and updateVisits() functions in classes/AdvancedPopup.php without proper sanitization or parameterization. This allows remote attackers to inject arbitrary SQL commands, potentially leading to unauthorized data access, data modification, or complete compromise of the underlying database. The attack vector requires no authentication or user interaction, increasing the risk and ease of exploitation. The vulnerability impacts confidentiality, integrity, and availability of the affected systems. PrestaShop is a widely used open-source e-commerce platform, and the Advanced Popup Creator module is commonly used to manage popup content on storefronts. The flaw was addressed in version 1.2.7 of the module, which includes proper input validation and query parameterization to mitigate injection risks. No known exploits have been reported in the wild yet, but the critical CVSS score of 9.8 indicates a high likelihood of exploitation attempts once the vulnerability is publicly known.

The impact of CVE-2025-69633 is severe for organizations using vulnerable versions of the Advanced Popup Creator module on PrestaShop. Successful exploitation can lead to unauthorized disclosure of sensitive customer and business data, including personal information and transaction records, violating confidentiality. Attackers can also alter or delete data, compromising data integrity, or execute commands that disrupt service availability, causing denial of service. Given the unauthenticated and remote nature of the exploit, attackers can target e-commerce websites without prior access, increasing the attack surface. This can result in financial losses, reputational damage, regulatory penalties, and erosion of customer trust. The vulnerability poses a significant risk to online retailers and service providers relying on PrestaShop, especially those with high traffic and sensitive data processing.

To mitigate CVE-2025-69633, organizations should immediately upgrade the Advanced Popup Creator module to version 1.2.7 or later, which contains the security fix. If upgrading is not immediately possible, implement web application firewall (WAF) rules to detect and block suspicious SQL injection patterns targeting the fromController parameter. Conduct thorough input validation and sanitization on all user-supplied parameters at the application level. Employ parameterized queries or prepared statements in custom code interacting with the module to prevent injection. Regularly audit and monitor database logs for unusual query activity indicative of exploitation attempts. Additionally, restrict direct access to the popup controller endpoints via network segmentation or access control lists where feasible. Maintain up-to-date backups and have an incident response plan ready to address potential compromises.