4.2

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-51586

CVE-2025-51586: Presta Shop vulnerable to email enumeration

Impact

An unauthenticated attacker with access to the back-office URL can manipulate the id_employee and reset_token parameters to enumerate valid back-office employee email addresses.

Impacted parties: Store administrators and employees: their email addresses are exposed. Merchants: risk of phishing, social engineering, and brute-force attacks targeting admin accounts.

Patches

PrestaShop 8.2.3

Workarounds

You must upgrade, or at least apply the changes from the PrestaShop 8.2.3 patch. More information: https://build.prestashop-project.org/news/2025/prestashop-8-2-3-security-release/

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-51586

CVE-2025-51586:

4.2

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
prestashop/prestashop	composer	< 8.2.3	8.2.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability allows an unauthenticated attacker to enumerate valid back-office employee email addresses by manipulating the id_employee parameter in the password reset functionality. The provided patch in controllers/admin/AdminLoginController.php clearly shows the vulnerable logic within the initContent function. Previously, the code would load an employee object based on the id_employee from the request and, if the employee existed, it would expose the employee's email address in the template. This allowed an attacker to cycle through potential employee IDs to harvest email addresses. The fix introduces a check to ensure that a valid reset_token is also provided and matches the one associated with the id_employee before the email is disclosed. Therefore, the AdminLoginController.initContent function is the specific location of the vulnerability, as it contains the logic that was exploited for email enumeration.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.2

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-51586: Presta Shop vulnerable to email enumeration

Impact

Patches

Workarounds

CVE-2025-51586:

4.2

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Basic Information

Basic Information

4.2

4.2

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-51586: Presta Shop vulnerable to email enumeration

Impact

Patches

Workarounds

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI