Skip to main content

PrestaShop CVE-2025-25691

MEDIUM
Command Injection (CWE-77)
2025-07-30 cve@mitre.org
6.5
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
7.2 HIGH

Admin-only endpoint with CSRF token implies PR:H; arbitrary code execution warrants C:H/I:H/A:H, not the provided C:L/I:L/A:N.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 03:54 vuln.today

DescriptionCVE.org

A PHAR deserialization vulnerability in the component /themes/import of PrestaShop v8.2.0 allows attackers to execute arbitrary code via a crafted POST request.

AnalysisAI

Remote code execution in PrestaShop 8.2.0 is achievable through a PHAR deserialization flaw in the theme import endpoint (/themes/import), where a crafted POST request containing a malicious PHP Archive triggers arbitrary code execution on the server. A publicly available proof-of-concept exploit exists on GitHub, lowering the technical barrier for skilled attackers. No active exploitation has been confirmed in CISA KEV, but the combination of a public POC and a targeted admin-facing endpoint warrants prompt remediation for any deployment on this version.

Technical ContextAI

The vulnerability resides in PrestaShop's theme import functionality (CPE: cpe:2.3:a:prestashop:prestashop:8.2.0:*:*:*:*:*:*:*), which accepts uploaded archive files to install custom storefront themes. PHP's PHAR (PHP Archive) stream wrapper has a well-documented behavior where it triggers PHP object deserialization automatically when a PHAR file is accessed - even through otherwise-safe file operations such as file_exists() or include() - making it a powerful deserialization gadget chain entry point. The vulnerability is classified CWE-77 (Improper Neutralization of Special Elements Used in a Command), indicating that the PHP deserialization chain ultimately results in OS-level command injection rather than purely in-process PHP object manipulation. The reference URLs in the NVD data point to a PrestaShop admin-panel path that includes a CSRF token parameter, confirming this endpoint is within the authenticated back-office of PrestaShop.

RemediationAI

No specific patched version has been independently confirmed from the available data - administrators should monitor the PrestaShop GitHub repository at https://github.com/PrestaShop/PrestaShop and official PrestaShop security channels for a released fix, and upgrade as soon as one is available. As an immediate compensating control, restrict access to the admin theme import endpoint (/admin/index.php/improve/design/themes/import) at the web server or WAF level to trusted IP addresses only, preventing external attackers from reaching the endpoint even with valid credentials. Hardening PHP to restrict PHAR stream wrapper usage (setting phar.readonly = On in php.ini and constraining open_basedir) reduces deserialization attack surface but may break legitimate theme management functionality - test in staging first. Enforce multi-factor authentication on all PrestaShop admin accounts to raise the cost of credential compromise, and audit current admin users for unauthorized access. These controls address the attack pathway but are not substitutes for applying the vendor patch.

CVE-2022-31181 CRITICAL POC
9.8 Aug 01

PrestaShop is an Open Source e-commerce platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exp

CVE-2021-3110 CRITICAL POC
9.8 Jan 20

The store system in PrestaShop 1.7.7.0 allows time-based boolean SQL injection via the module=productcomments controller

CVE-2020-15160 CRITICAL POC
9.8 Sep 24

PrestaShop from version 1.7.5.0 and before version 1.7.6.8 is vulnerable to a blind SQL Injection attack in the Catalog

CVE-2019-19595 CRITICAL POC
9.8 Dec 05

reset/modules/advanced_form_maker_edit/multiupload/upload.php in the RESET.PRO Adobe Stock API integration 4.8 for Prest

CVE-2019-19594 CRITICAL POC
9.8 Dec 05

reset/modules/fotoliaFoto/multi_upload.php in the RESET.PRO Adobe Stock API Integration for PrestaShop 1.6 and 1.7 allow

CVE-2018-19355 CRITICAL POC
9.8 Nov 19

modules/orderfiles/ajax/upload.php in the Customer Files Upload addon 2018-08-01 for PrestaShop (1.5 through 1.7) allows

CVE-2018-19126 CRITICAL POC
9.8 Nov 09

PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 allows remote attackers to execute arbitrary code via a file u

CVE-2018-8824 CRITICAL POC
9.8 May 10

modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module 1.0.32 for Pre

CVE-2018-8823 CRITICAL POC
9.8 Mar 28

modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module 1.0.32 for Pre

CVE-2018-13784 CRITICAL POC
9.1 Jul 09

PrestaShop before 1.6.1.20 and 1.7.x before 1.7.3.4 mishandles cookie encryption in Cookie.php, Rinjdael.php, and Blowfi

CVE-2024-41651 HIGH POC
8.1 Aug 12

An issue in Prestashop v.8.1.7 and before allows a remote attacker to execute arbitrary code via the module upgrade func

CVE-2020-26224 HIGH POC
7.5 Nov 16

In PrestaShop before version 1.7.6.9 an attacker is able to list all the orders placed on the website without being logg

Share

CVE-2025-25691 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy