In the module “Customization fields fee for your store” (aicustomfee) for PrestaShop, an attacker can perform SQL injection up to 0.2.0. Release 0.2.1 fixed this security issue.


  • CVE ID: CVE-2023-33663
  • Published at: 2023-08-16
  • Advisory source:
  • Platform: PrestaShop
  • Product: aicustomfee
  • Impacted release: < 0.2.1 (0.2.1 fixed issue)
  • Product author: ai-dev / @ide-info
  • Weakness: CWE-89
  • Severity: critical (9.8)


Before 0.2.1, sensitives SQL calls in file includes/ajax.php can be executed with a trivial http call and exploited to forge a blind SQL injection throught the POST or GET submitted data and product variables.

CVSS base metrics

  • Attack vector: network
  • Attack complexity: low
  • Privilege required: none
  • User interaction: none
  • Scope: unchanged
  • Confidentiality: high
  • Integrity: high
  • Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

  • Technical and personal data leaks
  • Obtain admin access
  • Remove all data of the linked PrestaShop
  • Display sensitives tables to front-office to unlock potential admin’s ajax scripts of modules protected by token on the ecosystem


--- a/modules/aicustomfee/includes/ajax.php
+++ b/modules/aicustomfee/includes/ajax.php
switch (Tools::getValue('action')) {
    case 'cloneCombination':
        if (!($data = Tools::getValue('data')) || !($combination = Tools::getValue('combination')) || !($product = Tools::getValue('product'))) {
        $data = explode('|', $data);
+       $data = array_map('intval', $data);
        $result = Db::getInstance()->getRow(
            'SELECT COUNT(id_product_attribute) AS number, id_product_attribute FROM '._DB_PREFIX_.'product_attribute_combination WHERE id_attribute IN ('.implode(',', $data).') GROUP BY id_product_attribute HAVING number = '.count($data)
--- a/modules/aicustomfee/includes/functions.php
+++ b/modules/aicustomfee/includes/functions.php
    public function createCombination($product, $old_combination, $data) 
        //    Add for Prestashop 1.5 version and above
        if ((float)Tools::substr(_PS_VERSION_, 0, 3) >= 1.5) {
            $shop_id = (int)Shop::getContextShopGroupID();
+       $product = (int) $product;
+       $old_combination = (int) $old_combination;
+       $data = array_map('intval', $data);
        //    Get the product data
        $product_data = Db::getInstance()->getRow('SELECT * FROM '._DB_PREFIX_.'product WHERE id_product = '.$product);

Other recommandations

  • Upgrade PrestaShop to the latest version to disable multiquery execution (separated by “;”) - be warned that this functionality WILL NOT protect your SHOP against injection SQL which uses the UNION clause to steal data.
  • Change the default database prefix ps_ by a new longer arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
  • Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against these set of rules.


Date Action
2023-05-08 Vunlnerability found during a audit by 202 ecommerce
2023-05-10 Contact the author
2023-05-12 The author confirm the issue and supply a fixed release
2023-05-12 Request a CVE ID
2023-08-16 Publication of this advisory