Skip to main content

PrestaShop CVE-2025-25692

MEDIUM
Command Injection (CWE-77)
2025-07-30 cve@mitre.org
6.5
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
9.8 CRITICAL

Network-reachable POST endpoint, no auth required per PR:N, and stated arbitrary code execution justifies C:H/I:H/A:H over the NVD's underscored C:L/I:L.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 03:55 vuln.today

DescriptionCVE.org

A PHAR deserialization vulnerability in the _getHeaders function of PrestaShop v8.2.0 allows attackers to execute arbitrary code via a crafted POST request.

AnalysisAI

Unauthenticated remote code execution in PrestaShop 8.2.0 is achievable via PHAR deserialization in the _getHeaders function, triggered through a crafted POST request. The publicly available proof-of-concept lowers the bar for exploitation against unpatched storefronts. No active KEV listing exists, but the network-accessible attack surface of e-commerce deployments and the confirmed exploit code make this a meaningful priority for PrestaShop 8.2.0 operators despite a low EPSS score of 0.77%.

Technical ContextAI

PrestaShop is a PHP-based open-source e-commerce platform (CPE: cpe:2.3:a:prestashop:prestashop:8.2.0:*:*:*:*:*:*:*). The vulnerability lives in the _getHeaders function, which processes attacker-influenced input without sanitizing PHP stream wrappers. PHP's PHAR (PHP Archive) stream wrapper - triggered when a function such as file_exists(), fopen(), or similar file-operation wrappers is called on a user-supplied path prefixed with 'phar://' - causes PHP to deserialize the PHAR archive manifest, invoking magic methods (__wakeup, __destruct) on serialized objects present in the archive. This allows an attacker to plant a crafted PHAR file whose deserialized object graph triggers CWE-77 (Command Injection) gadget chains, ultimately running arbitrary OS commands. The assigned CWE-77 (Improper Neutralization of Special Elements used in a Command) indicates that the deserialization chain culminates in injected command execution rather than pure object-graph abuse, which distinguishes this from a pure CWE-502 (Deserialization of Untrusted Data) case.

RemediationAI

Upgrade PrestaShop beyond 8.2.0; the exact patched release version is not confirmed in the available reference data - operators should monitor the official PrestaShop GitHub repository at https://github.com/PrestaShop/PrestaShop and the security advisory channel for a confirmed fixed version before upgrading. Until a patch is applied, restrict POST access to administrative and API endpoints at the WAF or reverse-proxy layer to limit the blast radius, noting that this may impact legitimate storefront functionality. Disable PHP PHAR stream wrapper processing at the php.ini level by setting 'phar.readonly = On' and ensuring no calls to PHAR functions are required by the application; this may break legitimate PHAR-packaged dependencies and should be tested in staging. Input to file-handling functions should be validated against an allowlist of paths server-side as a defense-in-depth measure. The researcher's PoC is documented at https://github.com/3em0/cve_repo/blob/main/preshop/CVE-2025-25692.md and should be reviewed by defenders to inform detection rule authoring.

CVE-2022-31181 CRITICAL POC
9.8 Aug 01

PrestaShop is an Open Source e-commerce platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exp

CVE-2021-3110 CRITICAL POC
9.8 Jan 20

The store system in PrestaShop 1.7.7.0 allows time-based boolean SQL injection via the module=productcomments controller

CVE-2020-15160 CRITICAL POC
9.8 Sep 24

PrestaShop from version 1.7.5.0 and before version 1.7.6.8 is vulnerable to a blind SQL Injection attack in the Catalog

CVE-2019-19595 CRITICAL POC
9.8 Dec 05

reset/modules/advanced_form_maker_edit/multiupload/upload.php in the RESET.PRO Adobe Stock API integration 4.8 for Prest

CVE-2019-19594 CRITICAL POC
9.8 Dec 05

reset/modules/fotoliaFoto/multi_upload.php in the RESET.PRO Adobe Stock API Integration for PrestaShop 1.6 and 1.7 allow

CVE-2018-19355 CRITICAL POC
9.8 Nov 19

modules/orderfiles/ajax/upload.php in the Customer Files Upload addon 2018-08-01 for PrestaShop (1.5 through 1.7) allows

CVE-2018-19126 CRITICAL POC
9.8 Nov 09

PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 allows remote attackers to execute arbitrary code via a file u

CVE-2018-8824 CRITICAL POC
9.8 May 10

modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module 1.0.32 for Pre

CVE-2018-8823 CRITICAL POC
9.8 Mar 28

modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module 1.0.32 for Pre

CVE-2018-13784 CRITICAL POC
9.1 Jul 09

PrestaShop before 1.6.1.20 and 1.7.x before 1.7.3.4 mishandles cookie encryption in Cookie.php, Rinjdael.php, and Blowfi

CVE-2024-41651 HIGH POC
8.1 Aug 12

An issue in Prestashop v.8.1.7 and before allows a remote attacker to execute arbitrary code via the module upgrade func

CVE-2020-26224 HIGH POC
7.5 Nov 16

In PrestaShop before version 1.7.6.9 an attacker is able to list all the orders placed on the website without being logg

Share

CVE-2025-25692 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy