CVE-2025-50972Vulnerability in 1.4.2

[kvlab]

I just saw this on CVE Security Scorecard.  It's on quite a few security sites.

Vulnerability Details : CVE-2025-50972   
AbanteCart 1.4.2 Unauthenticated SQL Injection via tmpl_id Parameter in index.php

SQL Injection vulnerability in AbanteCart 1.4.2, allows unauthenticated attackers to execute arbitrary SQL commands via the tmpl_id parameter to index.php. Three techniques have been demonstrated: error-based injection using a crafted FLOOR-based payload, time-based blind injection via SLEEP(), and UNION-based injection to extract arbitrary data.
Base Score: 9.8     Base Severity: CRITICAL   Impact Score 5.9    First Seen 8/27/2025

 CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')   
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
https://www.cvedetails.com/cve/CVE-2025-50972/

Any idea's or a patch that can be done?  I'm thinking maybe write a line to block the query string right into Apache in pre-main include, and block it server wide, as I plan only on having one store a dev site, and will own any other sites on there. I can't think of any reason this would cause me issues. Any thoughts ?

[Basara]

Hello.
We are aware of CVE-2025-50972. Our development team has already addressed the issue.

You can apply the fix in the following commit on our GitHub repository:

https://github.com/abantecart/abantecart-src/commit/84cdc72d10d7b1de9947b746db15e4985ddda4c8?w=1

If you do not want to patch the code, you can disable the Page builder extension