CVE-2022-31101

HIGH NUCLEI

PrestaShop blockwishlist < 2.1.1 - Authenticated SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2022-31101. PoCs published by Karthik UJ, MathiasReker, karthikuj. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates a time-based SQL injection vulnerability in the Prestashop blockwishlist module 2.1.0. It extracts database information, including customer details, by leveraging a vulnerable parameter in the wishlist endpoint.

Description

prestashop/blockwishlist is a prestashop extension which adds a block containing the customer's wishlists. In affected versions an authenticated customer can perform SQL injection. This issue is fixed in version 2.1.1. Users are advised to upgrade. There are no known workarounds for this issue.

Exploits (3)

exploitdb WORKING POC
by Karthik UJ · pythonwebappsphp
https://www.exploit-db.com/exploits/51001

This exploit demonstrates a time-based SQL injection vulnerability in the Prestashop blockwishlist module 2.1.0. It extracts database information, including customer details, by leveraging a vulnerable parameter in the wishlist endpoint.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Prestashop blockwishlist module 2.1.0
Auth required
Prerequisites: Valid cookie for authentication · Access to the wishlist endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 41 stars
by MathiasReker · poc
https://github.com/MathiasReker/blmvuln

This repository provides a scanner and remediation tool for CVE-2022-31101, a vulnerability in PrestaShop's MySQL Smarty cache storage. It detects and fixes code injection vulnerabilities and malware introduced via this exploit.

Classification
Scanner 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: PrestaShop 1.6.1+ and thirty bees 1.0.0+
Auth required
Prerequisites: Access to PrestaShop admin panel · Module upload permissions
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 25 stars
by karthikuj · poc
https://github.com/karthikuj/CVE-2022-31101

This is a functional SQL injection exploit for CVE-2022-31101, targeting the PrestaShop blockwishlist module 2.1.0. It uses time-based blind SQLi to extract database information, including customer details and password hashes.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: PrestaShop blockwishlist module 2.1.0
Auth required
Prerequisites: Valid PrestaShop session cookie · Access to the vulnerable endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Prestashop Blockwishlist 2.1.0 SQL Injection
HIGHby mastercho

References (3)

Core 3

Scores

CVSS v3 8.1
EPSS 0.5699
EPSS Percentile 98.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-89
Status published
Products (2)
prestashop/blockwishlist < 2.1.1
prestashop/blockwishlist 2.0.0 - 2.1.1Packagist
Published Jun 27, 2022
Tracked Since Feb 18, 2026