Hackers are exploiting a flaw in a premium Facebook module for PrestaShop named pkfacebook to deploy a card skimmer on vulnerable e-commerce sites and steal people's payment credit card details.
PrestaShop is an open-source e-commerce platform that allows individuals and businesses to create and manage online stores. As of 2024, it is used by approximately 300,000 online stores worldwide.
Promokit's pkfacebook add-on is a module that allows shop visitors to log in using their Facebook accounts, leave comments under the shop's pages, and communicate with support agents using Messenger.
Promokit has over 12,500 sales on the Envato market, but the Facebook module is only sold through the vendor's website, and no sales number details are available.
The critical flaw, tracked as
CVE-2024-36680, is an SQL injection vulnerability in pkfacebook's facebookConnect.php Ajax script, allowing remote attackers to trigger SQL injection using HTTP requests.
Analysts at TouchWeb discovered the flaw on March 30, 2024, but Promokit.eu said the flaw was fixed "a long time ago," without providing any proof.
