PrestaShop
CVE-2025-25691
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Admin-only endpoint with CSRF token implies PR:H; arbitrary code execution warrants C:H/I:H/A:H, not the provided C:L/I:L/A:N.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
A PHAR deserialization vulnerability in the component /themes/import of PrestaShop v8.2.0 allows attackers to execute arbitrary code via a crafted POST request.
AnalysisAI
Remote code execution in PrestaShop 8.2.0 is achievable through a PHAR deserialization flaw in the theme import endpoint (/themes/import), where a crafted POST request containing a malicious PHP Archive triggers arbitrary code execution on the server. A publicly available proof-of-concept exploit exists on GitHub, lowering the technical barrier for skilled attackers. No active exploitation has been confirmed in CISA KEV, but the combination of a public POC and a targeted admin-facing endpoint warrants prompt remediation for any deployment on this version.
Technical ContextAI
The vulnerability resides in PrestaShop's theme import functionality (CPE: cpe:2.3:a:prestashop:prestashop:8.2.0:*:*:*:*:*:*:*), which accepts uploaded archive files to install custom storefront themes. PHP's PHAR (PHP Archive) stream wrapper has a well-documented behavior where it triggers PHP object deserialization automatically when a PHAR file is accessed - even through otherwise-safe file operations such as file_exists() or include() - making it a powerful deserialization gadget chain entry point. The vulnerability is classified CWE-77 (Improper Neutralization of Special Elements Used in a Command), indicating that the PHP deserialization chain ultimately results in OS-level command injection rather than purely in-process PHP object manipulation. The reference URLs in the NVD data point to a PrestaShop admin-panel path that includes a CSRF token parameter, confirming this endpoint is within the authenticated back-office of PrestaShop.
RemediationAI
No specific patched version has been independently confirmed from the available data - administrators should monitor the PrestaShop GitHub repository at https://github.com/PrestaShop/PrestaShop and official PrestaShop security channels for a released fix, and upgrade as soon as one is available. As an immediate compensating control, restrict access to the admin theme import endpoint (/admin/index.php/improve/design/themes/import) at the web server or WAF level to trusted IP addresses only, preventing external attackers from reaching the endpoint even with valid credentials. Hardening PHP to restrict PHAR stream wrapper usage (setting phar.readonly = On in php.ini and constraining open_basedir) reduces deserialization attack surface but may break legitimate theme management functionality - test in staging first. Enforce multi-factor authentication on all PrestaShop admin accounts to raise the cost of credential compromise, and audit current admin users for unauthorized access. These controls address the attack pathway but are not substitutes for applying the vendor patch.
More in Prestashop
View allPrestaShop is an Open Source e-commerce platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exp
The store system in PrestaShop 1.7.7.0 allows time-based boolean SQL injection via the module=productcomments controller
PrestaShop from version 1.7.5.0 and before version 1.7.6.8 is vulnerable to a blind SQL Injection attack in the Catalog
reset/modules/advanced_form_maker_edit/multiupload/upload.php in the RESET.PRO Adobe Stock API integration 4.8 for Prest
reset/modules/fotoliaFoto/multi_upload.php in the RESET.PRO Adobe Stock API Integration for PrestaShop 1.6 and 1.7 allow
modules/orderfiles/ajax/upload.php in the Customer Files Upload addon 2018-08-01 for PrestaShop (1.5 through 1.7) allows
PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 allows remote attackers to execute arbitrary code via a file u
modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module 1.0.32 for Pre
modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module 1.0.32 for Pre
PrestaShop before 1.6.1.20 and 1.7.x before 1.7.3.4 mishandles cookie encryption in Cookie.php, Rinjdael.php, and Blowfi
An issue in Prestashop v.8.1.7 and before allows a remote attacker to execute arbitrary code via the module upgrade func
In PrestaShop before version 1.7.6.9 an attacker is able to list all the orders placed on the website without being logg
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today