VOOZH about

URL: https://github.com/advisories/GHSA-wvpg-4wrh-5889

⇱ PrestaShop Checkout Target PayPal merchant account hijacking from backoffice · CVE-2025-61924 · GitHub Advisory Database · GitHub

Skip to content

PrestaShop Checkout Target PayPal merchant account hijacking from backoffice

Low severity GitHub Reviewed Published in PrestaShopCorp/ps_checkout • Updated

Package

prestashop/ps_checkout (Composer)

Affected versions

< 4.4.1
>= 5.0.0, < 5.0.5

Patched versions

4.4.1
5.0.5

Description

Impact

Wrong usage of the PHP array_search() allows bypass of validation.

Patches

The problem has been patched in versions:

  • v4.4.1 for PrestaShop 1.7 (build number: 7.4.4.1)
  • v4.4.1 for PrestaShop 8 (build number: 8.4.4.1)
  • v5.0.5 for PrestaShop 1.7 (build number: 7.5.0.5)
  • v5.0.5 for PrestaShop 8 (build number: 8.5.0.5)
  • v5.0.5 for PrestaShop 9 (build number: 9.5.0.5)

Read the Versioning policy to learn more about the build number.

Credits

Léo CUNÉAZ reported this issue.

References

Published to the GitHub Advisory Database
Reviewed
Last updated

Severity

Low
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

EPSS score

(16th percentile)

Weaknesses

CVE ID

CVE-2025-61924

GHSA ID

GHSA-wvpg-4wrh-5889

Credits

See something to contribute? Suggest improvements for this vulnerability.
You can’t perform that action at this time.