CVE-2023-46357 in Cross Selling in Modal Cart Module
Summary
by MITRE • 11/22/2023
In the module "Cross Selling in Modal Cart" (motivationsale) < 3.5.0 from MyPrestaModules for PrestaShop, a guest can perform SQL injection. The method `motivationsaleDataModel::getProductsByIds()` has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/15/2026
The vulnerability identified as CVE-2023-46357 affects the Cross Selling in Modal Cart module version 3.4.9 and earlier from MyPrestaModules for PrestaShop platforms. This security flaw resides within the motivationsaleDataModel::getProductsByIds() method which processes user input without proper sanitization, creating an exploitable pathway for malicious actors to execute unauthorized database operations. The vulnerability specifically impacts guest users who can leverage this flaw through simple HTTP requests, making it particularly dangerous as it requires minimal technical expertise to exploit.
The technical implementation of this vulnerability stems from improper input validation within the module's database interaction layer. When the getProductsByIds() method processes product identifiers provided by users, it directly incorporates these values into SQL queries without adequate parameterization or sanitization mechanisms. This design flaw aligns with CWE-89 which specifically addresses SQL injection vulnerabilities arising from insufficient input validation and improper query construction. The vulnerability allows attackers to manipulate the SQL execution flow by injecting malicious SQL commands through the product ID parameters, potentially enabling full database compromise.
From an operational perspective, this vulnerability presents significant risk to PrestaShop merchants utilizing the affected module. Attackers can exploit this weakness to extract sensitive customer data, manipulate product catalogs, or even escalate privileges within the database. The ease of exploitation through simple HTTP calls means that even non-technical threat actors can leverage this vulnerability effectively. The impact extends beyond immediate data theft to potential service disruption and reputational damage for affected e-commerce platforms. Security analysts should note that this vulnerability particularly affects online retailers who rely on customer engagement features like cross-selling functionality, making it a prime target for cybercriminals seeking to exploit e-commerce platforms.
The recommended mitigation strategy involves immediate upgrade to version 3.5.0 or later of the motivationsale module where the SQL injection vulnerability has been addressed through proper input sanitization and parameterized queries. System administrators should also implement network-level protections including web application firewalls and database query monitoring to detect potential exploitation attempts. Additionally, organizations should conduct thorough security assessments of all third-party modules installed on their PrestaShop platforms to identify similar vulnerabilities. The ATT&CK framework categorizes this vulnerability under T1190 - Exploit Public-Facing Application, highlighting the importance of securing application interfaces that are accessible to unauthenticated users. Regular security patch management and comprehensive vulnerability scanning should be implemented as ongoing measures to prevent similar issues from emerging in the PrestaShop ecosystem.