CVE-2025-69633CRITICAL 9.8EPSS p27.5%

CVE-2025-69633CVE-2025-69633

Description

A SQL Injection vulnerability in the Advanced Popup Creator (advancedpopupcreator) module for PrestaShop 1.1.26 through 1.2.6 (Fixed in version 1.2.7) allows remote unauthenticated attackers to execute arbitrary SQL queries via the fromController parameter in the popup controller. The parameter is passed unsanitized to SQL queries in classes/AdvancedPopup.php (getPopups() and updateVisits() functions).

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.36% probability of exploitation · percentile 27.5% · 2026-06-19T12:03:05Z
Published2026-02-13
Last modified2026-04-15

Underlying weaknesses· 1

CWE-89

References

  1. https://addons.prestashop.com/en/pop-up-gamification/23773-popup-on-entry-exit-popup-and-newsletter.html
  2. https://labs.esokia.com/cve/cve-2025-69633/

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')cwe-890%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-13192
CVE
CVE-2025-12293
CVE
CVE-2025-9692
CVE
CVE-2025-46109
CVE
CVE-2025-12292
CVE
CVE-2025-1956
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.