There is a security vulnerability in this module. Please do not use it.
The method NewsletterpopsendVerificationModuleFrontController::checkEmailSubscription() has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.
WARNING : This exploit is actively used to deploy a webskimmer to massively steal credit cards.
This exploit uses a PrestaShop front controller and most attackers can conceal the module controller's path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. You will only see "POST /" inside your conventional frontend logs. Activating the AuditEngine of mod_security (or similar) is the only way to get data to confirm this exploit.
For more info check this link please:
github.com
The method NewsletterpopsendVerificationModuleFrontController::checkEmailSubscription() has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.
WARNING : This exploit is actively used to deploy a webskimmer to massively steal credit cards.
This exploit uses a PrestaShop front controller and most attackers can conceal the module controller's path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. You will only see "POST /" inside your conventional frontend logs. Activating the AuditEngine of mod_security (or similar) is the only way to get data to confirm this exploit.
For more info check this link please:
security-advisories/_posts/2023-11-09-newsletterpop.md at main · friends-of-presta/security-advisories
Security advisories of the FOP security team for prestashop - friends-of-presta/security-advisories
github.com