An attack against a few PrestaShop stores was reported to us. Thank you to the many professionals who contacted us regarding this security issue. The PrestaShop teams immediately launched an exhaustive search for the vulnerabilities exploited by the attack, and identified the cause.
We found that only a few modules and themes were affected. These are no longer available for download via the PrestaShop Addons Marketplace, and the developers of these modules and themes have been notified.
Who is at risk?
The vulnerabilities of concerns here correspond to several files, contained in certain versions of modules and themes. These files are found in modules named “explorerpro” “sampledatainstall” “colorpictures”:
-
/modules/explorerpro/action.php
-
/modules/sampledatainstall/sampledatainstall-ajax.php
-
/modules/colorpictures/ajax/upload.php
If you find these files, then the affected theme or module is vulnerable.
What to do?
If you are affected, the easiest way is to deactivate and then delete these modules if you do not need them. If you are still using these modules, an update to their latest version is required.
If these files are included in a theme, make sure you have the latest version installed on your online store. If necessary, contact the theme developer.
Finally, service providers used to work with you on your website are obviously the right people to talk to if you have any doubts: they will know what to do in order to protect your online store. You can also contact our help center and view our selection of partners.
Fortunately, most online stores created with PrestaShop use other themes or seem to work with up-to-date versions of these modules and are not at risk.
Again, we want to thank those of you who reported this security issue. Let's keep on improving the security of PrestaShop and its extensions, together.
