I just saw this on CVE Security Scorecard. It's on quite a few security sites.
Vulnerability Details : CVE-2025-50972
AbanteCart 1.4.2 Unauthenticated SQL Injection via tmpl_id Parameter in index.php
SQL Injection vulnerability in AbanteCart 1.4.2, allows unauthenticated attackers to execute arbitrary SQL commands via the tmpl_id parameter to index.php. Three techniques have been demonstrated: error-based injection using a crafted FLOOR-based payload, time-based blind injection via SLEEP(), and UNION-based injection to extract arbitrary data.
Base Score: 9.8 Base Severity: CRITICAL Impact Score 5.9 First Seen 8/27/2025
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
https://www.cvedetails.com/cve/CVE-2025-50972/
Any idea's or a patch that can be done? I'm thinking maybe write a line to block the query string right into Apache in pre-main include, and block it server wide, as I plan only on having one store a dev site, and will own any other sites on there. I can't think of any reason this would cause me issues. Any thoughts ?
Hello.
We are aware of CVE-2025-50972. Our development team has already addressed the issue.
You can apply the fix in the following commit on our GitHub repository:
https://github.com/abantecart/abantecart-src/commit/84cdc72d10d7b1de9947b746db15e4985ddda4c8?w=1
If you do not want to patch the code, you can disable the Page builder extension