Search criteria
9 vulnerabilities found for prestashop_checkout by prestashop
CVE-2025-61924 (GCVE-0-2025-61924)
Vulnerability from nvd – Published: 2025-10-16 17:33 – Updated: 2025-10-16 19:22
VLAI?
Title
PrestaShop Checkout Target PayPal merchant account hijacking from backoffice
Summary
PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. In versions prior to 4.4.1 and 5.0.5, the Target PayPal merchant account hijacking from backoffice due to wrong usage of the PHP array_search(). The vulnerability is fixed in versions 4.4.1 and 5.0.5. No known workarounds exist.
Severity ?
CWE
- CWE-184 - Incomplete List of Disallowed Inputs
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShopCorp | ps_checkout |
Affected:
< 4.4.1
Affected: >= 5.0.0, < 5.0.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61924",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-16T18:28:03.936004Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T19:22:58.718Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ps_checkout",
"vendor": "PrestaShopCorp",
"versions": [
{
"status": "affected",
"version": "\u003c 4.4.1"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. In versions prior to 4.4.1 and 5.0.5, the Target PayPal merchant account hijacking from backoffice due to wrong usage of the PHP array_search(). The vulnerability is fixed in versions 4.4.1 and 5.0.5. No known workarounds exist."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-184",
"description": "CWE-184: Incomplete List of Disallowed Inputs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T17:33:49.254Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PrestaShopCorp/ps_checkout/security/advisories/GHSA-wvpg-4wrh-5889",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShopCorp/ps_checkout/security/advisories/GHSA-wvpg-4wrh-5889"
}
],
"source": {
"advisory": "GHSA-wvpg-4wrh-5889",
"discovery": "UNKNOWN"
},
"title": "PrestaShop Checkout Target PayPal merchant account hijacking from backoffice"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-61924",
"datePublished": "2025-10-16T17:33:49.254Z",
"dateReserved": "2025-10-03T22:21:59.615Z",
"dateUpdated": "2025-10-16T19:22:58.718Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-61922 (GCVE-0-2025-61922)
Vulnerability from nvd – Published: 2025-10-16 17:26 – Updated: 2025-10-17 14:00
VLAI?
Title
PrestaShop Checkout allows customer account takeover via email
Summary
PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. Starting in version 1.3.0 and prior to versions 4.4.1 and 5.0.5, missing validation on the Express Checkout feature allows silent login, enabling account takeover via email. The vulnerability is fixed in versions 4.4.1 and 5.0.5. No known workarounds exist.
Severity ?
9.1 (Critical)
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShopCorp | ps_checkout |
Affected:
>= 1.3.0, < 4.4.1
Affected: >= 5.0.0, < 5.0.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61922",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-16T18:28:40.866720Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T19:23:11.794Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ps_checkout",
"vendor": "PrestaShopCorp",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.3.0, \u003c 4.4.1"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. Starting in version 1.3.0 and prior to versions 4.4.1 and 5.0.5, missing validation on the Express Checkout feature allows silent login, enabling account takeover via email. The vulnerability is fixed in versions 4.4.1 and 5.0.5. No known workarounds exist."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-17T14:00:38.840Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PrestaShopCorp/ps_checkout/security/advisories/GHSA-54hq-mf6h-48xh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShopCorp/ps_checkout/security/advisories/GHSA-54hq-mf6h-48xh"
}
],
"source": {
"advisory": "GHSA-54hq-mf6h-48xh",
"discovery": "UNKNOWN"
},
"title": "PrestaShop Checkout allows customer account takeover via email"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-61922",
"datePublished": "2025-10-16T17:26:14.999Z",
"dateReserved": "2025-10-03T22:21:59.615Z",
"dateUpdated": "2025-10-17T14:00:38.840Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-61923 (GCVE-0-2025-61923)
Vulnerability from nvd – Published: 2025-10-16 17:31 – Updated: 2025-10-16 19:23
VLAI?
Title
PrestaShop Checkout Backoffice directory traversal allows arbitrary file disclosure
Summary
PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. In versions prior to 4.4.1 and 5.0.5, the backoffice is missing validation on input resulting in a directory traversal and arbitrary file disclosure. The vulnerability is fixed in versions 4.4.1 and 5.0.5. No known workarounds exist.
Severity ?
4.1 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShopCorp | ps_checkout |
Affected:
< 4.4.1
Affected: >= 5.0.0, < 5.0.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61923",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-16T18:28:20.537023Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T19:23:05.488Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ps_checkout",
"vendor": "PrestaShopCorp",
"versions": [
{
"status": "affected",
"version": "\u003c 4.4.1"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. In versions prior to 4.4.1 and 5.0.5, the backoffice is missing validation on input resulting in a directory traversal and arbitrary file disclosure. The vulnerability is fixed in versions 4.4.1 and 5.0.5. No known workarounds exist."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T17:31:07.064Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PrestaShopCorp/ps_checkout/security/advisories/GHSA-fpxp-pfqm-x54w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShopCorp/ps_checkout/security/advisories/GHSA-fpxp-pfqm-x54w"
}
],
"source": {
"advisory": "GHSA-fpxp-pfqm-x54w",
"discovery": "UNKNOWN"
},
"title": "PrestaShop Checkout Backoffice directory traversal allows arbitrary file disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-61923",
"datePublished": "2025-10-16T17:31:07.064Z",
"dateReserved": "2025-10-03T22:21:59.615Z",
"dateUpdated": "2025-10-16T19:23:05.488Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
FKIE_CVE-2025-61924
Vulnerability from fkie_nvd - Published: 2025-10-16 18:15 - Updated: 2025-12-29 20:06
Severity ?
Summary
PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. In versions prior to 4.4.1 and 5.0.5, the Target PayPal merchant account hijacking from backoffice due to wrong usage of the PHP array_search(). The vulnerability is fixed in versions 4.4.1 and 5.0.5. No known workarounds exist.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| prestashop | prestashop_checkout | * | |
| prestashop | prestashop_checkout | * | |
| prestashop | prestashop_checkout | * | |
| prestashop | prestashop_checkout | * | |
| prestashop | prestashop_checkout | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:prestashop:prestashop_checkout:*:*:*:*:*:prestashop:*:*",
"matchCriteriaId": "4A067D2B-B83F-4AC5-830A-077589B9F27A",
"versionEndExcluding": "7.4.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prestashop:prestashop_checkout:*:*:*:*:*:prestashop:*:*",
"matchCriteriaId": "36D48F64-2C0D-4DF7-9FBB-26FF21B9C71B",
"versionEndExcluding": "7.5.0.5",
"versionStartIncluding": "7.5.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prestashop:prestashop_checkout:*:*:*:*:*:prestashop:*:*",
"matchCriteriaId": "78BB8AD6-68E4-426F-B9D9-1810D37193D4",
"versionEndExcluding": "8.4.4.1",
"versionStartIncluding": "8.3.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prestashop:prestashop_checkout:*:*:*:*:*:prestashop:*:*",
"matchCriteriaId": "CF84DA7C-A801-4366-8463-F6FD21A69263",
"versionEndExcluding": "8.5.0.5",
"versionStartIncluding": "8.5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prestashop:prestashop_checkout:*:*:*:*:*:prestashop:*:*",
"matchCriteriaId": "FBB531A1-D85B-4987-89FB-EC28C974301F",
"versionEndExcluding": "9.5.0.5",
"versionStartIncluding": "9.4.3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. In versions prior to 4.4.1 and 5.0.5, the Target PayPal merchant account hijacking from backoffice due to wrong usage of the PHP array_search(). The vulnerability is fixed in versions 4.4.1 and 5.0.5. No known workarounds exist."
}
],
"id": "CVE-2025-61924",
"lastModified": "2025-12-29T20:06:15.343",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 2.5,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-10-16T18:15:39.140",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/PrestaShopCorp/ps_checkout/security/advisories/GHSA-wvpg-4wrh-5889"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-184"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-61922
Vulnerability from fkie_nvd - Published: 2025-10-16 18:15 - Updated: 2025-12-29 20:06
Severity ?
Summary
PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. Starting in version 1.3.0 and prior to versions 4.4.1 and 5.0.5, missing validation on the Express Checkout feature allows silent login, enabling account takeover via email. The vulnerability is fixed in versions 4.4.1 and 5.0.5. No known workarounds exist.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/PrestaShopCorp/ps_checkout/security/advisories/GHSA-54hq-mf6h-48xh | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| prestashop | prestashop_checkout | * | |
| prestashop | prestashop_checkout | * | |
| prestashop | prestashop_checkout | * | |
| prestashop | prestashop_checkout | * | |
| prestashop | prestashop_checkout | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:prestashop:prestashop_checkout:*:*:*:*:*:prestashop:*:*",
"matchCriteriaId": "78BDECB6-6142-47A0-89D1-C96DE8B052EB",
"versionEndExcluding": "7.4.4.1",
"versionStartIncluding": "1.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prestashop:prestashop_checkout:*:*:*:*:*:prestashop:*:*",
"matchCriteriaId": "36D48F64-2C0D-4DF7-9FBB-26FF21B9C71B",
"versionEndExcluding": "7.5.0.5",
"versionStartIncluding": "7.5.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prestashop:prestashop_checkout:*:*:*:*:*:prestashop:*:*",
"matchCriteriaId": "78BB8AD6-68E4-426F-B9D9-1810D37193D4",
"versionEndExcluding": "8.4.4.1",
"versionStartIncluding": "8.3.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prestashop:prestashop_checkout:*:*:*:*:*:prestashop:*:*",
"matchCriteriaId": "CF84DA7C-A801-4366-8463-F6FD21A69263",
"versionEndExcluding": "8.5.0.5",
"versionStartIncluding": "8.5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prestashop:prestashop_checkout:*:*:*:*:*:prestashop:*:*",
"matchCriteriaId": "FBB531A1-D85B-4987-89FB-EC28C974301F",
"versionEndExcluding": "9.5.0.5",
"versionStartIncluding": "9.4.3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. Starting in version 1.3.0 and prior to versions 4.4.1 and 5.0.5, missing validation on the Express Checkout feature allows silent login, enabling account takeover via email. The vulnerability is fixed in versions 4.4.1 and 5.0.5. No known workarounds exist."
}
],
"id": "CVE-2025-61922",
"lastModified": "2025-12-29T20:06:13.033",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-10-16T18:15:38.597",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/PrestaShopCorp/ps_checkout/security/advisories/GHSA-54hq-mf6h-48xh"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-61923
Vulnerability from fkie_nvd - Published: 2025-10-16 18:15 - Updated: 2025-12-29 20:06
Severity ?
Summary
PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. In versions prior to 4.4.1 and 5.0.5, the backoffice is missing validation on input resulting in a directory traversal and arbitrary file disclosure. The vulnerability is fixed in versions 4.4.1 and 5.0.5. No known workarounds exist.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/PrestaShopCorp/ps_checkout/security/advisories/GHSA-fpxp-pfqm-x54w | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| prestashop | prestashop_checkout | * | |
| prestashop | prestashop_checkout | * | |
| prestashop | prestashop_checkout | * | |
| prestashop | prestashop_checkout | * | |
| prestashop | prestashop_checkout | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:prestashop:prestashop_checkout:*:*:*:*:*:prestashop:*:*",
"matchCriteriaId": "4A067D2B-B83F-4AC5-830A-077589B9F27A",
"versionEndExcluding": "7.4.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prestashop:prestashop_checkout:*:*:*:*:*:prestashop:*:*",
"matchCriteriaId": "36D48F64-2C0D-4DF7-9FBB-26FF21B9C71B",
"versionEndExcluding": "7.5.0.5",
"versionStartIncluding": "7.5.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prestashop:prestashop_checkout:*:*:*:*:*:prestashop:*:*",
"matchCriteriaId": "78BB8AD6-68E4-426F-B9D9-1810D37193D4",
"versionEndExcluding": "8.4.4.1",
"versionStartIncluding": "8.3.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prestashop:prestashop_checkout:*:*:*:*:*:prestashop:*:*",
"matchCriteriaId": "CF84DA7C-A801-4366-8463-F6FD21A69263",
"versionEndExcluding": "8.5.0.5",
"versionStartIncluding": "8.5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prestashop:prestashop_checkout:*:*:*:*:*:prestashop:*:*",
"matchCriteriaId": "FBB531A1-D85B-4987-89FB-EC28C974301F",
"versionEndExcluding": "9.5.0.5",
"versionStartIncluding": "9.4.3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. In versions prior to 4.4.1 and 5.0.5, the backoffice is missing validation on input resulting in a directory traversal and arbitrary file disclosure. The vulnerability is fixed in versions 4.4.1 and 5.0.5. No known workarounds exist."
}
],
"id": "CVE-2025-61923",
"lastModified": "2025-12-29T20:06:09.500",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-10-16T18:15:38.987",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/PrestaShopCorp/ps_checkout/security/advisories/GHSA-fpxp-pfqm-x54w"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
CVE-2025-61924 (GCVE-0-2025-61924)
Vulnerability from cvelistv5 – Published: 2025-10-16 17:33 – Updated: 2025-10-16 19:22
VLAI?
Title
PrestaShop Checkout Target PayPal merchant account hijacking from backoffice
Summary
PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. In versions prior to 4.4.1 and 5.0.5, the Target PayPal merchant account hijacking from backoffice due to wrong usage of the PHP array_search(). The vulnerability is fixed in versions 4.4.1 and 5.0.5. No known workarounds exist.
Severity ?
CWE
- CWE-184 - Incomplete List of Disallowed Inputs
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShopCorp | ps_checkout |
Affected:
< 4.4.1
Affected: >= 5.0.0, < 5.0.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61924",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-16T18:28:03.936004Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T19:22:58.718Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ps_checkout",
"vendor": "PrestaShopCorp",
"versions": [
{
"status": "affected",
"version": "\u003c 4.4.1"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. In versions prior to 4.4.1 and 5.0.5, the Target PayPal merchant account hijacking from backoffice due to wrong usage of the PHP array_search(). The vulnerability is fixed in versions 4.4.1 and 5.0.5. No known workarounds exist."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-184",
"description": "CWE-184: Incomplete List of Disallowed Inputs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T17:33:49.254Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PrestaShopCorp/ps_checkout/security/advisories/GHSA-wvpg-4wrh-5889",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShopCorp/ps_checkout/security/advisories/GHSA-wvpg-4wrh-5889"
}
],
"source": {
"advisory": "GHSA-wvpg-4wrh-5889",
"discovery": "UNKNOWN"
},
"title": "PrestaShop Checkout Target PayPal merchant account hijacking from backoffice"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-61924",
"datePublished": "2025-10-16T17:33:49.254Z",
"dateReserved": "2025-10-03T22:21:59.615Z",
"dateUpdated": "2025-10-16T19:22:58.718Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-61923 (GCVE-0-2025-61923)
Vulnerability from cvelistv5 – Published: 2025-10-16 17:31 – Updated: 2025-10-16 19:23
VLAI?
Title
PrestaShop Checkout Backoffice directory traversal allows arbitrary file disclosure
Summary
PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. In versions prior to 4.4.1 and 5.0.5, the backoffice is missing validation on input resulting in a directory traversal and arbitrary file disclosure. The vulnerability is fixed in versions 4.4.1 and 5.0.5. No known workarounds exist.
Severity ?
4.1 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShopCorp | ps_checkout |
Affected:
< 4.4.1
Affected: >= 5.0.0, < 5.0.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61923",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-16T18:28:20.537023Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T19:23:05.488Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ps_checkout",
"vendor": "PrestaShopCorp",
"versions": [
{
"status": "affected",
"version": "\u003c 4.4.1"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. In versions prior to 4.4.1 and 5.0.5, the backoffice is missing validation on input resulting in a directory traversal and arbitrary file disclosure. The vulnerability is fixed in versions 4.4.1 and 5.0.5. No known workarounds exist."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T17:31:07.064Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PrestaShopCorp/ps_checkout/security/advisories/GHSA-fpxp-pfqm-x54w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShopCorp/ps_checkout/security/advisories/GHSA-fpxp-pfqm-x54w"
}
],
"source": {
"advisory": "GHSA-fpxp-pfqm-x54w",
"discovery": "UNKNOWN"
},
"title": "PrestaShop Checkout Backoffice directory traversal allows arbitrary file disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-61923",
"datePublished": "2025-10-16T17:31:07.064Z",
"dateReserved": "2025-10-03T22:21:59.615Z",
"dateUpdated": "2025-10-16T19:23:05.488Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-61922 (GCVE-0-2025-61922)
Vulnerability from cvelistv5 – Published: 2025-10-16 17:26 – Updated: 2025-10-17 14:00
VLAI?
Title
PrestaShop Checkout allows customer account takeover via email
Summary
PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. Starting in version 1.3.0 and prior to versions 4.4.1 and 5.0.5, missing validation on the Express Checkout feature allows silent login, enabling account takeover via email. The vulnerability is fixed in versions 4.4.1 and 5.0.5. No known workarounds exist.
Severity ?
9.1 (Critical)
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShopCorp | ps_checkout |
Affected:
>= 1.3.0, < 4.4.1
Affected: >= 5.0.0, < 5.0.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61922",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-16T18:28:40.866720Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T19:23:11.794Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ps_checkout",
"vendor": "PrestaShopCorp",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.3.0, \u003c 4.4.1"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. Starting in version 1.3.0 and prior to versions 4.4.1 and 5.0.5, missing validation on the Express Checkout feature allows silent login, enabling account takeover via email. The vulnerability is fixed in versions 4.4.1 and 5.0.5. No known workarounds exist."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-17T14:00:38.840Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PrestaShopCorp/ps_checkout/security/advisories/GHSA-54hq-mf6h-48xh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShopCorp/ps_checkout/security/advisories/GHSA-54hq-mf6h-48xh"
}
],
"source": {
"advisory": "GHSA-54hq-mf6h-48xh",
"discovery": "UNKNOWN"
},
"title": "PrestaShop Checkout allows customer account takeover via email"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-61922",
"datePublished": "2025-10-16T17:26:14.999Z",
"dateReserved": "2025-10-03T22:21:59.615Z",
"dateUpdated": "2025-10-17T14:00:38.840Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}