PrestaShop

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

From XSS to RCE

• PrestaXSRF: PrestaShop Exploitation Script that elevate XSS to RCE or Others Critical Vulnerabilities. For more info check this post. It provides support for PrestaShop Versions 8.X.X and 1.7.X.X, and allows to:
  • (RCE) PSUploadModule(); - Upload a custom Module: Upload a Persistent Module (backdoor) to PrestaShop.

ps_checkout ExpressCheckout silent login account takeover (CVE-2025-61922)

Missing identity validation in the ps_checkout module < 5.0.5 lets an unauthenticated attacker switch the session to any customer by supplying their email.

• Endpoint (unauth): POST /module/ps_checkout/ExpressCheckout.
• Flow: ExpressCheckout.php accepts attacker JSON, only checks orderID, builds ExpressCheckoutRequest and calls ExpressCheckoutAction::execute().
• Auth bug: In vulnerable versions ExpressCheckoutAction calls CustomerAuthenticationAction::execute() when no user is logged in. That method simply does customerExists(<payer_email>) and context->updateCustomer(new Customer($id)), so email existence == login (no password/token check).
• Attacker-controlled email field: order.payer.email_address inside the JSON payload is read by ExpressCheckoutRequest::getPayerEmail().

Exploitation steps

1. Collect any registered customer email (admin is separate and not affected by this flow).
2. Send an unauthenticated POST to the controller with orderID plus the victim email in order.payer.email_address.
3. Even if the endpoint returns 500, the response will include cookies for the victim’s customer context (session already switched), enabling PII access or purchasing with saved cards.

POST /module/ps_checkout/ExpressCheckout HTTP/1.1
Host: `<target>`
Content-Type: application/json
Content-Length: 72

{"orderID":"1","order":{"payer":{"email_address":"victim@example.com"}}}

References

• CVE-2025-61922: Zero-Click Account Takeover on Prestashop (blog)
• GitHub Advisory GHSA-54hq-mf6h-48xh

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.