CVE-2025-69633

A SQL Injection vulnerability in the Advanced Popup Creator (advancedpopupcreator) module for PrestaShop 1.1.26 through 1.2.6 (Fixed in version 1.2.7) allows remote unauthenticated attackers to execute arbitrary SQL queries via the fromController parameter in the popup controller. The parameter is passed unsanitized to SQL queries in classes/AdvancedPopup.php (getPopups() and updateVisits() functions).

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://addons.prestashop.com/en/pop-up-gamification/23773-popup-on-entry-exit-popup-and-newsletter.html
https://labs.esokia.com/cve/cve-2025-69633/

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Una vulnerabilidad de inyección SQL en el módulo Advanced Popup Creator (advancedpopupcreator) para PrestaShop 1.1.26 hasta 1.2.6 (Corregido en la versión 1.2.7) permite a atacantes remotos no autenticados ejecutar consultas SQL arbitrarias a través del parámetro fromController en el controlador de popup. El parámetro se pasa sin sanear a las consultas SQL en classes/AdvancedPopup.php (funciones getPopups() y updateVisits()).

17 Feb 2026, 15:16

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
CWE		CWE-89

13 Feb 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-13 22:16

Updated : 2026-06-17 10:00

NVD link : CVE-2025-69633

Mitre link : CVE-2025-69633

CVE.ORG link : CVE-2025-69633

JSON object : View

Products Affected

No product.

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2025-69633", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2025-69633", "role": "CISA Coordinator", "options": [{"exploitation": "poc"}, {"automatable": "yes"}, {"technicalImpact": "total"}], "version": "2.0.3", "timestamp": "2026-02-17T15:09:11.218858Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "affected": [{"source": "cve@mitre.org", "affectedData": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}]}], "published": "2026-02-13T22:16:09.650", "references": [{"url": "https://addons.prestashop.com/en/pop-up-gamification/23773-popup-on-entry-exit-popup-and-newsletter.html", "source": "cve@mitre.org"}, {"url": "https://labs.esokia.com/cve/cve-2025-69633/", "source": "cve@mitre.org"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "A SQL Injection vulnerability in the Advanced Popup Creator (advancedpopupcreator) module for PrestaShop 1.1.26 through 1.2.6 (Fixed in version 1.2.7) allows remote unauthenticated attackers to execute arbitrary SQL queries via the fromController parameter in the popup controller. The parameter is passed unsanitized to SQL queries in classes/AdvancedPopup.php (getPopups() and updateVisits() functions)."}, {"lang": "es", "value": "Una vulnerabilidad de inyecci\u00f3n SQL en el m\u00f3dulo Advanced Popup Creator (advancedpopupcreator) para PrestaShop 1.1.26 hasta 1.2.6 (Corregido en la versi\u00f3n 1.2.7) permite a atacantes remotos no autenticados ejecutar consultas SQL arbitrarias a trav\u00e9s del par\u00e1metro fromController en el controlador de popup. El par\u00e1metro se pasa sin sanear a las consultas SQL en classes/AdvancedPopup.php (funciones getPopups() y updateVisits())."}], "lastModified": "2026-06-17T10:00:47.280", "sourceIdentifier": "cve@mitre.org"}