CVE-2023-33663 in ai-dev Module
Summary
by MITRE • 08/16/2023
In the module “Customization fields fee for your store” (aicustomfee) from ai-dev module for PrestaShop, an attacker can perform SQL injection up to 0.2.0. Release 0.2.1 fixed this security issue.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/05/2026
The vulnerability CVE-2023-33663 affects the aicustomfee module within the ai-dev PrestaShop module ecosystem, representing a critical SQL injection weakness that could enable unauthorized database access. This flaw exists in versions prior to 0.2.1 of the customization fields fee module, specifically targeting the module's handling of user input within database queries. The vulnerability allows attackers to manipulate SQL commands through improperly sanitized input parameters, potentially leading to complete database compromise and unauthorized access to sensitive customer and business data.
The technical implementation of this SQL injection vulnerability stems from insufficient input validation and sanitization within the module's database interaction functions. When users interact with the customization fields fee functionality, the module fails to properly escape or parameterize user-supplied data before incorporating it into SQL queries. This creates an exploitable entry point where malicious actors can inject arbitrary SQL code through carefully crafted input fields, potentially executing commands with the privileges of the database user account. The vulnerability aligns with CWE-89, which categorizes SQL injection as a fundamental weakness in software design that allows attackers to manipulate database queries through untrusted input.
The operational impact of this vulnerability extends beyond simple data theft, as successful exploitation could enable attackers to perform destructive operations including data modification, deletion, or unauthorized access to customer information such as personal details, purchase history, and financial data. Attackers could potentially escalate privileges within the database, extract sensitive configuration data, or even establish persistent backdoors within the PrestaShop environment. The implications are particularly severe for e-commerce platforms where customer data protection is paramount, as this vulnerability could violate regulatory compliance requirements and result in significant financial and reputational damage.
Mitigation strategies for CVE-2023-33663 require immediate deployment of the patched version 0.2.1 of the aicustomfee module, which implements proper input sanitization and parameterized query execution. System administrators should conduct comprehensive vulnerability assessments to identify any other potentially affected modules or versions within their PrestaShop installations. The remediation process should include thorough input validation mechanisms, proper parameterization of database queries, and implementation of web application firewalls to detect and prevent SQL injection attempts. Additionally, organizations should enforce principle of least privilege for database accounts and implement regular security audits to prevent similar vulnerabilities in other custom modules or core system components, aligning with ATT&CK technique T1071.004 for application layer attacks and CWE-778 for insufficient logging of security-relevant events.