Jump to content

Major security issues with few modules and themes.

Antoine F

Recommended Posts

Hello everyone,


The last few weeks have seen security issues arise in PrestaShop ecosystem, due to serious flaws in some popular modules and themes. The latest versions of PrestaShop do not have known security issues.


We’ve created this thread to centralize the current available information. Feel free to share your tips, and most importantly: UPGRADE YOUR INSTALLATION!

Make sure your modules and your theme is up-to-date! And if you can, upgrade PrestaShop to the latest and safest version: PrestaShop



The Warehouse theme

Warehouse is a very popular theme, sold through the ThemeForest marketplace (not available on PrestaShop Addons). But while the latest version (3.8.1, released July 19th) is safe, older version have modules which contain a serious security flaw.


The initial security fix was released on June 18th, with version 3.7.7. The initial issue was with the theme’s own Image Banners module.


Other modules included with the Warehouse theme appear to be problematic. In all, the community has given feedback about the following Warehouse-included modules:


  • Simpleslideshow

  • Columnadverts

  • Homepageadvertise

  • Productpageadverts


The author has quickly released issues, and also posted a thorough article on how to check your store and clean it, and contacted the people who bought this theme.


Community member Lesley Paone, from Dh42, has published his own article, which includes a hotfix script to help you clean your installation.



Problematic modules

The community also gave us feedback about the following modules:


  • Advancedslider

  • Attributewizardpro

  • Columnadverts

  • Homepageadvertise

  • Homepageadvertise2

  • Productpageadverts

  • Videostab

  • vtermslidesshow


While we can’t confirm that all of them are related with these issues, you should double-check your store and see if you use the latest version of each of these modules.



Attribute Wizard Pro module

The community-created Attribute Wizard Pro module was found to be flawed. It has been fixed by the author on July 9th, and we strongly advise you to update yours to its latest version, v1.7.14.



VTEM Slideshow module

The community-created VTEM Slideshow module also suffers from a serious security flaw. We currently have no way of knowing whether it has been fixed or not.



Abandoned Cart Reminder Pro module

An Addons-created module was found to be vulnerable, and was fixed last week. It was put offline by the Addons team as soon as we learned about the issue, and is back online now that it is fixed it.


In addition to that, Addons customers who bought the module received an e-mail notification about the security optimization.



Send to a Friend module

While not being a security issue per-se, the native Send to a Friend module, which is included in every version of PrestaShop, was recently found to have an issue which allowed malicious people to spam e-mail addresses using the store’s web server.


The issue was fixed thanks to a community member, and a safe version is available since June 2016. The community member in question wrote about it this week.



How PrestaShop Addons reacted

The Addons team takes security very seriously -- we even have a team member solely dedicated to security.


All modules (even module updates) submitted to Addons must pass the PrestaShop Validator automated tests, and Addons developers also check on new modules to make sure they work safely.


Even so, sometimes bad code pass our automatic and human filters: that’s what happened with the Abandoned Cart Reminder Pro module above. Luckily, our community has our back and warned us.


We have a process for when we learn of a security issue in a module or a theme:


  1. Put it offline from Addons.

  2. Contact its developer about it.

  3. Wait for the developer to fix the issue and release a new version on Addons.

  4. Put the addons back online with the fixed issue.

  5. Contact all the Addons customers who bought the addon, warning them to update their store’s module.


This is exactly the process we followed. A batch e-mail was sent this week, advise customers to update their installation of the Abandoned Cart module.


To prevent further issues, we have put offline some modules that seem to prevent the same issue, and we have strengthened our security process.



What you can do

Even if there are no recent security updates concerning your theme or modules, we advise you to check if you are infected or not.


In short: if you have the Warehouse theme or any of the modules listed above, DO UPGRADE THEM. Contact their respective author if you need to: we listed their website or product sheet above.


The tricky part is that every site is different, and the security flaws are mostly the same, each hacker has his own set of files to upload. Hence, cleaning up an infected store can be automatically done: the most secure way is to rely on a recent backup of your files.

Moreover, listing the flawed files would be giving too much information for potential hackers…


We did hear of a hack which replaced the /controllers/admin/adminLoginController file with its own, so even though no new file has been uploaded, your site will be more secure if you use a backup (or if you upgrade to the latest version of PrestaShop). Check the last modification date of your files using an FTP client, such as Filezilla!


On top of cleaning up your files (or replacing them with a recent backup), what you should do in case of a confirmed infection is:


  • Change your back office password, and that of other admin accounts. Check the Employee page to make sure no new employee has been created.

  • Change your SQL password.

  • Change your FTP password.


We hope your site is safe and sound.

  • Like 2

Share this post

Link to post
Share on other sites

  • 2 years later...
  • 4 months later...
  • 9 months later...
  • 5 months later...

We've seen nowadays attack on following modules:

- bamegamenu using ajax_phpcode.php script

- smartprestashoptheadmin module using ajax_smartprestashoptheadmin.php

- groupcategory module using GroupCategoryUploadImage.php script

- verticalmegamenus module using VerticalMegaMenusUploadImage.php

Share this post

Link to post
Share on other sites

  • 10 months later...

jmsslider module also has critical security issue at ajax_jmsslider.php

one can upload any file type with any extension thru POST request /modules/jmsslider/ajax_jmsslider.php?action=addLayer&id_slide=attari&data_type=image

uploaded file is moved to /modules/jmsslider/views/img/layers/ folder

sample log follows


- -  02/Jan/2021:15:04:50 +0200 `POST /modules/jmsslider/ajax_jmsslider.php?action=addLayer&id_slide=attari&data_type=image` 200 /home/zalupa/htdocs/modules/jmsslider/ajax_jmsslider.php 140.453 4096 42.72%
- -  02/Jan/2021:15:04:51 +0200 `GET /modules/jmsslider/views/img/layers/small.php` 200 /home/zalupa/htdocs/modules/jm
sslider/views/img/layers/small.php 0.806 2048 0.00%


Share this post

Link to post
Share on other sites

  • El Patron locked and unpinned this topic
This topic is now closed to further replies.

  • Create New...

Important Information

Cookies ensure the smooth running of our services. Using these, you accept the use of cookies. Learn More