Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
This is a stored Cross-site Scripting (XSS) vulnerability in the PrestaShop back-office Customer Service view.
An unauthenticated attacker can submit the public Contact Us form with a malicious email address. The payload is stored in the database and executed when a back-office employee opens the affected customer thread, enabling session hijacking and full back-office takeover.
Patches
Patched in PrestaShop 8.2.6 and 9.1.1.
Workarounds
None.
Resources
- Reported by Savio at Doyensec (
anthropic@doyensec.com) in collaboration with Anthropic Research.
AnalysisAI
Stored XSS in PrestaShop back-office Customer Service enables unauthenticated attackers to achieve full back-office takeover via malicious Contact Us form submissions. The vulnerability affects PrestaShop versions prior to 8.2.6 and 9.0.0-9.1.0, with patches released in versions 8.2.6 and 9.1.1. Despite the 9.3 CVSS score reflecting critical severity due to network attack vector, low complexity, and scope change, the CVSS UI:R requirement (user interaction) means exploitation requires a back-office employee to open the malicious customer thread. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, indicating no confirmed widespread active exploitation despite the critical impact potential.
Technical ContextAI
This is a CWE-79 stored cross-site scripting vulnerability in PrestaShop's back-office Customer Service module. PrestaShop is an open-source e-commerce platform built on PHP. The vulnerability exists in the customer thread rendering logic within the administrative interface. When processing Contact Us form submissions, PrestaShop fails to properly sanitize the email address field before storing it in the database. Subsequently, when administrative users view customer service threads, the application retrieves and renders this unsanitized email field without proper output encoding, causing malicious JavaScript payloads to execute in the context of the administrator's browser session. The CPE identifiers pkg:composer/prestashop/prestashop confirm this affects the core PrestaShop application distributed via Composer package manager. The stored nature of this XSS makes it more dangerous than reflected XSS, as the payload persists and can affect multiple administrative users over time.
RemediationAI
Upgrade immediately to PrestaShop 8.2.6 (for 8.x installations) or PrestaShop 9.1.1 (for 9.x installations) as documented in GitHub Security Advisory GHSA-w9f3-qc75-qgx9 at https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-w9f3-qc75-qgx9. The vendor explicitly states no workarounds exist, making patching the only effective remediation. As an interim compensating control until patching is complete, restrict access to the back-office Customer Service interface to trusted networks only via IP allowlisting or VPN requirement, which reduces attack surface by preventing arbitrary internet users from accessing the vulnerable view even if malicious payloads are submitted; however, this does not prevent payload injection via the public Contact Us form and only delays exploitation. Additionally, implement Content Security Policy headers on back-office pages to restrict inline script execution, though this may interfere with legitimate PrestaShop administrative functionality and requires testing. Train administrative staff not to open customer service threads from untrusted or suspicious contact form submissions until patching is complete, though this is operationally impractical for active customer service operations. These compensating controls provide limited risk reduction and should not replace immediate patching.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30481
GHSA-w9f3-qc75-qgx9