CVE-2025-61922
📋 TL;DR
A critical authentication bypass vulnerability in PrestaShop Checkout payment module allows attackers to silently log in as any user via email manipulation during Express Checkout. This enables complete account takeover of customer accounts. All PrestaShop installations using affected versions of the Checkout module are vulnerable.
💻 Affected Systems
- PrestaShop Checkout (official PayPal payment module)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all customer accounts, unauthorized purchases, data theft, and administrative account takeover if admin emails are known.
Likely Case
Attackers take over customer accounts to make fraudulent purchases, steal personal information, and abuse stored payment methods.
If Mitigated
With proper monitoring, unauthorized logins can be detected and blocked, but the vulnerability still exists until patched.
🎯 Exploit Status
The vulnerability requires no authentication and involves manipulating email parameters during Express Checkout flow.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.4.1 or 5.0.5
Vendor Advisory: https://github.com/PrestaShopCorp/ps_checkout/security/advisories/GHSA-54hq-mf6h-48xh
Restart Required: No
Instructions:
1. Log into PrestaShop admin panel. 2. Navigate to Modules > Module Manager. 3. Find 'PrestaShop Checkout' module. 4. Click 'Upgrade' to version 4.4.1 (for PrestaShop 1.7) or 5.0.5 (for PrestaShop 8). 5. Clear PrestaShop cache after upgrade.
🔧 Temporary Workarounds
Disable Express Checkout
allTemporarily disable the vulnerable Express Checkout feature while waiting to patch
🧯 If You Can't Patch
- Implement strict rate limiting on login attempts and Express Checkout requests
- Enable detailed logging of all authentication events and monitor for suspicious patterns
🔍 How to Verify
Check if Vulnerable:
Check PrestaShop Checkout module version in admin panel under Modules > Module Manager > PrestaShop CheckoutCheck Version:
No direct CLI command; check via PrestaShop admin interface or database query: SELECT version FROM ps_module WHERE name = 'ps_checkout'Verify Fix Applied:
Confirm module version shows 4.4.1 or higher (for PrestaShop 1.7) or 5.0.5 or higher (for PrestaShop 8)📡 Detection & Monitoring
Log Indicators:
- Multiple login attempts from same IP with different email addresses
- Express Checkout requests with unusual email patterns
- Successful logins without password verification
Network Indicators:
- Unusual Express Checkout API call patterns
- Multiple authentication requests in short timeframes
SIEM Query:
source="prestashop" AND (event="express_checkout" OR event="login") | stats count by email, ip_address | where count > threshold