Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
PrestaShop Advanced Popup Creator: Remote SQL Attack Risk via Popup Controller
CVE-2025-69633
Summary
An unauthenticated attacker can access and manipulate data in the PrestaShop store by injecting malicious SQL code into the Advanced Popup Creator module. This module is used in PrestaShop versions 1.1.26 to 1.2.6. Update the module to version 1.2.7 to fix this issue.
Original title
A SQL Injection vulnerability in the Advanced Popup Creator (advancedpopupcreator) module for PrestaShop 1.1.26 through 1.2.6 (Fixed in version 1.2.7) allows remote unauthenticated attackers to exe...
Original description
A SQL Injection vulnerability in the Advanced Popup Creator (advancedpopupcreator) module for PrestaShop 1.1.26 through 1.2.6 (Fixed in version 1.2.7) allows remote unauthenticated attackers to execute arbitrary SQL queries via the fromController parameter in the popup controller. The parameter is passed unsanitized to SQL queries in classes/AdvancedPopup.php (getPopups() and updateVisits() functions).
nvd CVSS3.1
9.8
Vulnerability type
CWE-89
SQL Injection
Published: 13 Feb 2026 · Updated: 10 Mar 2026 · First seen: 6 Mar 2026