Miggo Logo
Miggo Vulnerability Database
CVE-2025-61922

CVE-2025-61922: PrestaShop Checkout allows customer account takeover via email

9.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-61922
GHSA ID
GHSA-54hq-mf6h-48xh
EPSS Score
-
CWE
CWE-287
Published
10/16/2025
Updated
10/16/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
prestashop/ps_checkoutcomposer< 4.4.14.4.1
prestashop/ps_checkoutcomposer>= 5.0.0, < 5.0.55.0.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability lies in the Express Checkout feature of the PrestaShop Checkout module. The root cause is improper authentication in the PsCheckout\Infrastructure\Action\CustomerAuthenticationAction::execute method. When a user performs an express checkout, this method checks if an account already exists with the provided email address. If it does, it logs the user into that account without requiring a password, leading to a critical account takeover vulnerability. The patch addresses this by completely removing the vulnerable logic from CustomerAuthenticationAction::execute and changing the calling function, PsCheckout\Core\Customer\Action\ExpressCheckoutAction::execute, to create a new guest account instead of attempting to log in an existing user. Additional validation was also added in the ps_checkoutExpressCheckoutModuleFrontController::postProcess method to ensure the PayPal order ID is associated with the current cart, providing an extra layer of security.

Vulnerable functions

PsCheckout\Infrastructure\Action\CustomerAuthenticationAction::execute
infrastructure/src/Action/CustomerAuthenticationAction.php
This function is vulnerable because it checks if a customer exists with the provided email address. If a customer exists, it authenticates them without any password check, leading to an account takeover. The function `customerExists` returns the customer ID if the email exists, and then a new `Customer` object is created with this ID and set in the context, effectively logging in the user.
PsCheckout\Core\Customer\Action\ExpressCheckoutAction::execute
core/src/Customer/Action/ExpressCheckoutAction.php
This function was responsible for calling the vulnerable `CustomerAuthenticationAction::execute` function when a user is not logged in during an express checkout. The patch removes this call and replaces it with logic to create a new guest customer, thus mitigating the account takeover vulnerability.
ps_checkoutExpressCheckoutModuleFrontController::postProcess
ps17/controllers/front/ExpressCheckout.php
This is the front controller that handles the express checkout process. It receives the request and triggers the vulnerable `ExpressCheckoutAction`. The patch adds a validation to check if the PayPal order ID from the request matches the one in the current cart context, which is a defense-in-depth measure against this and other potential issues.

WAF Protection Rules

WAF Rule

# Imp**t Missin* v*li**tion on *xpr*ss ****kout ***tur* *llows sil*nt lo*-in. # P*t***s T** pro*l*m **s ***n p*t**** in v*rsions - v*.*.* *or Pr*st*S*op *.* (*uil* num**r: *.*.*.*) - v*.*.* *or Pr*st*S*op * (*uil* num**r: *.*.*.*) - v*.*.* *or Pr*s

Reasoning

T** vuln*r**ility li*s in t** *xpr*ss ****kout ***tur* o* t** Pr*st*S*op ****kout mo*ul*. T** root **us* is improp*r *ut**nti**tion in t** `Ps****kout\In*r*stru*tur*\**tion\*ustom*r*ut**nti**tion**tion::*x**ut*` m*t*o*. W**n * us*r p*r*orms *n *xpr*s