3.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-61924

GHSA ID

GHSA-wvpg-4wrh-5889

EPSS Score

CWE

CWE-184

Published

10/16/2025

Updated

10/16/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-61924

CVE-2025-61924: PrestaShop Checkout Target PayPal merchant account hijacking from backoffice

Impact

Wrong usage of the PHP array_search() allows bypass of validation.

Patches

The problem has been patched in versions:

v4.4.1 for PrestaShop 1.7 (build number: 7.4.4.1)
v4.4.1 for PrestaShop 8 (build number: 8.4.4.1)
v5.0.5 for PrestaShop 1.7 (build number: 7.5.0.5)
v5.0.5 for PrestaShop 8 (build number: 8.5.0.5)
v5.0.5 for PrestaShop 9 (build number: 9.5.0.5)

Read the Versioning policy to learn more about the build number.

Credits

Léo CUNÉAZ reported this issue.

(GitHub Advisory)

3.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-61924

GHSA ID

GHSA-wvpg-4wrh-5889

EPSS Score

CWE

CWE-184

Published

10/16/2025

Updated

10/16/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
prestashop/ps_checkout	composer	< 4.4.1	4.4.1
prestashop/ps_checkout	composer	>= 5.0.0, < 5.0.5	5.0.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The security advisory GHSA-wvpg-4wrh-5889 describes a validation bypass due to the wrong usage of PHP's array_search() function. The analysis of the associated patch commit b8e141bba4910e69ec299dcf4b9205bbe95dd7b7 confirms this. The function PrestaShop\Module\PrestashopCheckout\Validator\BatchConfigurationValidator::validateAjaxBatchConfiguration used array_search() in a way that a return value of 0 (for the first element in the array) would be treated as false, thus bypassing a security check. This allowed an attacker to modify blacklisted configuration values, potentially leading to the hijacking of a PayPal merchant account.

In addition to this primary vulnerability, the same patch addresses a significant path traversal vulnerability. The functions AdminAjaxPrestashopCheckoutController::ajaxProcessGetLogs and AdminAjaxPrestashopCheckoutController::ajaxProcessDownloadLogs accepted a filename from user input without sufficient sanitization. This allowed an authenticated administrator to read or download arbitrary files from the server's filesystem by crafting a malicious path (e.g., ../../config/settings.inc.php). The PrestaShop\Module\PrestashopCheckout\Logger\LoggerFileReader::read function was the component that ultimately performed the file read operation and was hardened to prevent this.

Both vulnerabilities require administrator privileges to be exploited. The identified functions are the direct points where the vulnerabilities existed and would be present in a runtime profile during an exploit.

Vulnerable functions

PrestaShop\Module\PrestashopCheckout\Validator\BatchConfigurationValidator::validateAjaxBatchConfiguration

src/Validator/BatchConfigurationValidator.php

The original code used `array_search` to check if a configuration key was blacklisted. `array_search` can return an index of 0 if the item is found at the beginning of the array. In a loose boolean check, `0` evaluates to `false`, causing the validation to be bypassed. This allows an attacker to modify a supposedly blacklisted configuration key, which could lead to account hijacking.

AdminAjaxPrestashopCheckoutController::ajaxProcessGetLogs

controllers/admin/AdminAjaxPrestashopCheckoutController.php

This function handles requests to get log files. The `file` parameter, which is user-controlled, was not properly sanitized before being used to construct a file path. This allowed for a path traversal vulnerability, enabling an attacker with admin access to read arbitrary files from the server.

AdminAjaxPrestashopCheckoutController::ajaxProcessDownloadLogs

controllers/admin/AdminAjaxPrestashopCheckoutController.php

Similar to `ajaxProcessGetLogs`, this function for downloading log files was vulnerable to path traversal. The user-supplied `file` parameter was not validated correctly, allowing an attacker with admin privileges to download arbitrary files from the server.

PrestaShop\Module\PrestashopCheckout\Logger\LoggerFileReader::read

src/Logger/LoggerFileReader.php

This function was the core of the path traversal vulnerability. It was modified to perform validation on the filename before reading it. Previously, it would accept a pre-constructed `SplFileObject`, trusting the caller to have performed validation, which was not the case. This allowed for the reading of arbitrary files.

WAF Protection Rules

WAF Rule

### Imp**t Wron* us*** o* t** P*P `*rr*y_s**r**()` *llows *yp*ss o* v*li**tion. ### P*t***s T** pro*l*m **s ***n p*t**** in v*rsions: - v*.*.* *or Pr*st*S*op *.* (*uil* num**r: *.*.*.*) - v*.*.* *or Pr*st*S*op * (*uil* num**r: *.*.*.*) - v*.*.* *or

Reasoning

T** s**urity **visory **S*-wvp*-*wr*-**** **s*ri**s * v*li**tion *yp*ss *u* to t** wron* us*** o* P*P's `*rr*y_s**r**()` *un*tion. T** *n*lysis o* t** *sso*i*t** p*t** *ommit `****************************************` *on*irms t*is. T** *un*tion `Pr*

3.8

Basic Information

Concerned about an active attack path?

CVE-2025-61924: PrestaShop Checkout Target PayPal merchant account hijacking from backoffice

Impact

Patches

Credits

3.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI