Description
A SQL Injection vulnerability in the Advanced Popup Creator (advancedpopupcreator) module for PrestaShop 1.1.26 through 1.2.6 (Fixed in version 1.2.7) allows remote unauthenticated attackers to execute arbitrary SQL queries via the fromController parameter in the popup controller. The parameter is passed unsanitized to SQL queries in classes/AdvancedPopup.php (getPopups() and updateVisits() functions).
References (2)
Core 2
Core References
Various Sources
https://addons.prestashop.com/en/pop-up-gamification/23773-popup-on-entry-exit-popup-and-newsletter.html
Various Sources
https://labs.esokia.com/cve/cve-2025-69633/
Scores
CVSS v3
9.8
EPSS
0.0036
EPSS Percentile
27.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-89
Status
published
Published
Feb 13, 2026
Tracked Since
Feb 18, 2026