CVE-2023-45381 in Creative Popup Module
Summary
by MITRE • 10/25/2023
In the module "Creative Popup" (creativepopup) up to version 1.6.9 from WebshopWorks for PrestaShop, a guest can perform SQL injection via `cp_download_popup().`
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/09/2026
The vulnerability identified as CVE-2023-45381 affects the Creative Popup module for PrestaShop, specifically versions up to 1.6.9. This module is designed to create popup windows for various marketing and user engagement purposes on e-commerce websites. The issue stems from inadequate input validation within the cp_download_popup() function which processes user-supplied data without proper sanitization. The vulnerability exists in the module's handling of parameters passed to this function, creating an opportunity for malicious actors to inject arbitrary SQL commands into the database query execution flow. This represents a critical security flaw that could allow unauthorized data access, modification, or deletion across the affected PrestaShop installation.
The technical implementation of this vulnerability aligns with CWE-89 which categorizes improper neutralization of special elements used in SQL commands. The cp_download_popup() function fails to properly escape or parameterize user inputs before incorporating them into SQL queries, enabling attackers to manipulate the database structure through crafted malicious payloads. The vulnerability is particularly dangerous because it does not require authentication, meaning any guest user can exploit it without prior access credentials. This makes the attack surface significantly broader compared to authenticated vulnerabilities where attackers need to first gain valid credentials. The SQL injection occurs during the processing of download popup requests, suggesting that an attacker could manipulate the download functionality to execute malicious database commands.
The operational impact of this vulnerability extends beyond simple data theft to include potential complete system compromise. Attackers could leverage this vulnerability to extract sensitive customer information including personal details, order histories, and potentially payment information stored in the PrestaShop database. The vulnerability also enables data manipulation capabilities that could lead to denial of service conditions by corrupting database entries or deleting critical system tables. Furthermore, the attack could be used to escalate privileges within the database, potentially allowing attackers to execute operating system commands if the database server permits such operations. This makes the vulnerability particularly concerning for e-commerce platforms that handle large volumes of sensitive customer data and financial transactions.
Mitigation strategies for this vulnerability should prioritize immediate module updates to versions that address the SQL injection flaw. System administrators should implement proper input validation and parameterized queries throughout the module code to prevent similar issues in the future. Database access controls should be reviewed to ensure that the web application connects using accounts with minimal required privileges, following the principle of least privilege. Network-level protections including web application firewalls and intrusion detection systems should be configured to monitor for SQL injection patterns. Additionally, regular security audits and penetration testing should be conducted to identify and remediate similar vulnerabilities across the entire PrestaShop ecosystem. The vulnerability also highlights the importance of keeping all third-party modules updated and verifying their security posture through established vulnerability databases and security advisories. Organizations should implement comprehensive monitoring of database activities to detect unusual query patterns that may indicate exploitation attempts.