Skip to main content

XSS in FieldPopupNewsletter Prestashop Module CVE-2023-39676

This blog post details an XSS we found within the FieldPopupNewsletter module, developed by FieldThemes, for the popular ecommerce platform Prestashop.

The module contains a file called ajax.php with the following code:

$ppp = new FieldPopupNewsletter();
echo $ppp->newsletterRegistration($_POST['email']);

The newsletterRegistration function, called by the ajax.php file, contains code that lacks proper input validation:

public function newsletterRegistration($email) {
    if (empty($email) || !Validate::isEmail($email)) {
        echo $_GET['callback'] . '(' . json_encode(array('<p class="alert alert-danger">' . $this->l('Invalid email address.') . '</p>')) . ')';

The callback GET parameter is printed to the page without sanitization which makes it susceptibvle to XSS. One might think the fact a POST parameter is used might mitigate this vulnerability but closer reading reveals this works when $_POST['email'] isn’t set.

Proof of Concept

As a demonstration of the vulnerability, an attacker can craft a malicious URL, like the one shown below, to execute arbitrary JavaScript code on the target user’s browser:



XSS vulnerabilities are serious security risks that can lead to unauthorized access, data theft, and other malicious activities. In the case of the FieldPopupNewsletter module, a lack of input validation exposes users to potential attacks.

We strongly advise users of this module to update to the latest patched version, which should address the XSS vulnerability.


Date Action
10/07/2023 Issue discovered during a pentest
12/07/2023 Reported issue to FieldThemes
29/07/2023 Requested CVE from MITRE
28/08/2023 Number CVE-2023-39676 assigned
31/08/2023 Patch released
07/09/2023 Blog post and nuclei template released