Skip to content

Hackers exploit Facebook PrestaShop module to steal credit cards

  • by
  • 3 min read

Threat actors are exploiting an SQL injection flaw in a premium Facebook module for PrestaShop to steal people’s payment credit card details.

PrestaShop is an open-source e-commerce platform that enables individuals and businesses to create and manage online stores worldwide. As of 2024, it was used by around 3,000,000 online stores worldwide.

A card skimmer is being deployed on Promokit’s pkfacebook add-on module, which lets shop visitors log in with their Facebook accounts, write comments under shop pages, and chat with support agents on Messenger. Promokit has more than 12,500 sales on the Envato market, while the Facebook module is only sold through vendor sites, where sales numbers are not available.

The critical vulnerability, tracked as CVE-2024-36680, is an SQL injection flaw in the module’s facebookConnect.php Ajax script. This flaw enables remote attackers to trigger SQL injection using HTTP requests. Analysts at TouchWeb discovered the flaw on March 30, 2024; however, said that it was fixed a long time ago without providing proof to substantiate their claims.

On June 18, 2024, Friends-Of-Presta published a proof-of-concept exploit for CVE-2024-36680 and noted that the bug was being actively exploited in the wild.

They further warned that the affected version is unclear as details of the bug being patched allegedly were not provided. “Author refuse to provide the last version to let us check that all is fixed. So you should consider that all versions can be impacted,” stated Friends-Of-Presta.

They recommended the following mitigations for the current situation:

• Upgrade to the latest pkfacebook version, which will disable multi-query executions; however, it would not protect the shop against SQL injection that uses the UNION clause.

• Change the default database prefix (ps_) to a longer, arbitrary one. Due to a design vulnerability in DBMS, this would be ineffective against black hats with DBA senior skills.

• Activate OWASP 942’s rules on your Web application firewall (Warning: This may break your back office and require pre-configuration of bypasses against this set of rules).

PrestaShop issued a warning and hotfix for targeted modules vulnerable to code execution from SQL injection approximately two years ago. Threat actors closely monitor SQL injection vulnerabilities affecting online shop platforms, as they can be exploited to gain administrative privileges, access and/or modify data on the website, extract data, and rewrite SMTP settings to take over emails.

In the News: Japan’s space agency hit by multiple cyberattacks; Claims no sensitive data lost

Arun Maity

Arun Maity

Arun Maity is a journalist from Kolkata who graduated from the Asian College of Journalism. He has an avid interest in music, videogames and anime. When he's not working, you can find him practicing and recording his drum covers, watching anime or playing games. You can contact him here: