- Welcome to AbanteCart Community.
AbanteCart forum
Recent posts
#51
How-to questions / Estimate Shipping and taxes
Last post by ricardeaux - September 04, 2025, 12:47:08 PMEstimate Shipping and taxes still appears on the checkout page although I have Free shipping selected.
I found it hidden... 4 hours later
I found it hidden... 4 hours later
#52
Security / Re: Building a bot for debuggi...
Last post by Dr_Sandra_Lee - September 04, 2025, 06:54:13 AMThat's a very tricky and frustrating bug! When you're dealing with an Access-Control-Allow-Origin error, it's a good idea to check your server configuration files, like the .htaccess file. Sometimes the header needs to be explicitly added to allow requests from other origins. It's an easy thing to miss, but it's a very common fix for this type of issue. I hope this helps you get it sorted out!
#53
Security / Re: CVE-2025-50972Vulnerabili...
Last post by Basara - September 01, 2025, 03:18:43 AMHello.
We are aware of CVE-2025-50972. Our development team has already addressed the issue.
You can apply the fix in the following commit on our GitHub repository:
https://github.com/abantecart/abantecart-src/commit/84cdc72d10d7b1de9947b746db15e4985ddda4c8?w=1
If you do not want to patch the code, you can disable the Page builder extension
We are aware of CVE-2025-50972. Our development team has already addressed the issue.
You can apply the fix in the following commit on our GitHub repository:
https://github.com/abantecart/abantecart-src/commit/84cdc72d10d7b1de9947b746db15e4985ddda4c8?w=1
If you do not want to patch the code, you can disable the Page builder extension
#54
Security / CVE-2025-50972Vulnerability i...
Last post by kvlab - August 31, 2025, 10:34:01 PMI just saw this on CVE Security Scorecard. It's on quite a few security sites.
Vulnerability Details : CVE-2025-50972
AbanteCart 1.4.2 Unauthenticated SQL Injection via tmpl_id Parameter in index.php
SQL Injection vulnerability in AbanteCart 1.4.2, allows unauthenticated attackers to execute arbitrary SQL commands via the tmpl_id parameter to index.php. Three techniques have been demonstrated: error-based injection using a crafted FLOOR-based payload, time-based blind injection via SLEEP(), and UNION-based injection to extract arbitrary data.
Base Score: 9.8 Base Severity: CRITICAL Impact Score 5.9 First Seen 8/27/2025
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
https://www.cvedetails.com/cve/CVE-2025-50972/
Any idea's or a patch that can be done? I'm thinking maybe write a line to block the query string right into Apache in pre-main include, and block it server wide, as I plan only on having one store a dev site, and will own any other sites on there. I can't think of any reason this would cause me issues. Any thoughts ?
Vulnerability Details : CVE-2025-50972
AbanteCart 1.4.2 Unauthenticated SQL Injection via tmpl_id Parameter in index.php
SQL Injection vulnerability in AbanteCart 1.4.2, allows unauthenticated attackers to execute arbitrary SQL commands via the tmpl_id parameter to index.php. Three techniques have been demonstrated: error-based injection using a crafted FLOOR-based payload, time-based blind injection via SLEEP(), and UNION-based injection to extract arbitrary data.
Base Score: 9.8 Base Severity: CRITICAL Impact Score 5.9 First Seen 8/27/2025
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
https://www.cvedetails.com/cve/CVE-2025-50972/
Any idea's or a patch that can be done? I'm thinking maybe write a line to block the query string right into Apache in pre-main include, and block it server wide, as I plan only on having one store a dev site, and will own any other sites on there. I can't think of any reason this would cause me issues. Any thoughts ?
#55
Support / Re: Can refunds be issued from...
Last post by ixl - August 31, 2025, 09:11:02 AMI am extremely surprised at this.
You should still be able to credit back the order and produce a credit note.
Its a standard function IMHO.
Crediting the customer for future orders is not the same and even if you arrange the credit from the merchant gateway you use, you should still then be able to create the credit note of the order.
Very strange.
You should still be able to credit back the order and produce a credit note.
Its a standard function IMHO.
Crediting the customer for future orders is not the same and even if you arrange the credit from the merchant gateway you use, you should still then be able to create the credit note of the order.
Very strange.
#56
Embedding / Re: Add To Cart Button Not Sho...
Last post by Dr_Sandra_Lee - August 30, 2025, 09:40:51 AMThe suggestions here about checking the core files and module settings are excellent. A simple thing that's often overlooked is the browser cache.
Sometimes the changes you make on the backend don't immediately reflect on the front end because the browser is showing a cached version of the page. It's always worth trying a hard refresh (Ctrl+F5) or clearing your browser's cache to see if that solves the issue. It's a quick fix that can sometimes save a lot of debugging time!
Sometimes the changes you make on the backend don't immediately reflect on the front end because the browser is showing a cached version of the page. It's always worth trying a hard refresh (Ctrl+F5) or clearing your browser's cache to see if that solves the issue. It's a quick fix that can sometimes save a lot of debugging time!
#57
General Discussion / Re: Removing SEO keyword on V....
Last post by Gargi Rana - August 28, 2025, 07:17:50 AMIf you deleted a category but still cannot reuse old SEO keywords make sure the category is fully removed and deleted from trash and remove any redirects created by SEO plugin .Then refresh/clear your site and browser cache so the keywords became usable again.
#58
General Support / Re: How do i export images?
Last post by fedorajoiner - August 27, 2025, 09:33:42 PMQuote from: ryanVC on July 06, 2016, 06:21:37 AMhello
is there away to export my full product images thats been uploaded to the cart to a csv file , so i can have the image urls?
Yes, you can export product data (including image URLs) to CSV by using your e-commerce platform's built-in export tool or a plugin/app; check the product export settings and ensure the "image" or "image URL" field is included in the CSV.
#59
General Support / Re: SQL Errors on customer log...
Last post by brysonferguson - August 27, 2025, 03:39:39 AMQuote from: Basara on February 28, 2025, 02:04:14 AMHello.Thanks for the heads-up! You're right — the customer_sessions table was missing in the database. Looks like the update process didn't complete properly. I'll recreate the table manually using the SQL from the link you provided. Appreciate the clear direction and the GitHub reference — very helpful!
It looks like your AbanteCart store is missing the customer_sessions table in the database. This likely happened because the update did not fully complete the database upgrade or failed during the process.
Please check if the table exists in your database. If it's missing, you will need to recreate it manually (with database prefix ab73_).
https://github.com/abantecart/abantecart-src/blob/master/public_html/install/abantecart_database.sql#L738 eggy car
#60
New Features Discussion / Re: Merge Orders
Last post by Mason McConnell - August 27, 2025, 12:23:10 AMThis is a great concept! While guaranteeing that consumers aren't overcharged for delivery, a "Merge Orders" tool would save administrators a great deal of time and labor.