CVE-2024-36680: Improper neutralization of SQL parameter in Promokit[.]eu – Facebook module for PrestaShop (20-June-2024)

Preface: PrestaShop is an open source e-commerce platform that emerged in 2007. It’s still widely used today—more than 250,000 devices are powered by it. The goal of PrestaShop Facebook is to promote e-commerce sales on Facebook and Instagram social networks.

Background: E-commerce web designers need to create our modules folder in the root directory of the folder called “modules”. This folder contains all the modules in PrestaShop. Even basic modules such as the website’s shopping cart can be found in this place.

How do I install Prestashop on my local computer?

  1. XAMPP is an easy to install Apache distribution containing MariaDB, PHP, and Perl. Just download and start the installer.
  2. Go to official website of XAMPP and download it – Download XAMPP
  3. Install XAMPP at any location, we install at c drive.
  4. Create project folder in the following htdocs directory.
  5. Create project folder in the following htdocs directory
  6. Put the downloaded prestashop file in this project folder.
  7. Prestashop installation process:

Download the Prestashop.

-Create the Database.

-Upload the downloaded file to the server.

-Delete archive folder and install folder.

Vulnerability details: In the module “Facebook” (pkfacebook) <=1.0.1 from for PrestaShop, a guest can perform SQL injection. The ajax script facebookConnect.php have a sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection.

Official announcement: For detail, please refer to link –

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.