logo

Database

Improper authorization control for web services In prestashop/ps_checkout

Description

PrestaShop Checkout allows customer account takeover via email

Impact

Missing validation on Express Checkout feature allows silent log-in

Affected versions

The issue was introduced in PrestaShop Checkout 1.3.0 .

All versions above 1.3.0 are vulnerable except of course the patch versions published on 16/10/2025: 7.4.4.1, 8.4.4.1, 7.5.0.5, 8.5.0.5, 9.5.0.5

Patches

The problem has been patched in versions

    v4.4.1 for PrestaShop 1.7 (build number: 7.4.4.1)

    v4.4.1 for PrestaShop 8 (build number: 8.4.4.1)

    v5.0.5 for PrestaShop 1.7 (build number: 7.5.0.5)

    v5.0.5 for PrestaShop 8 (build number: 8.5.0.5)

    v5.0.5 for PrestaShop 9 (build number: 9.5.0.5)

Read our Versioning policy to learn more about our build numbers and versions of PrestaShop Checkout

Credits

We would like to thank Léo CUNÉAZ for reporting the issue.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-619222. NVD-2025-619223. OSV-2025-619224. GHSA-54hq-mf6h-48xh5. GCVE-2025-61922

References

1. https://github.com/PrestaShopCorp/ps_checkout/security/advisories/GHSA-54hq-mf6h-48xh2. https://github.com/captaincookie34/Vulnerability-Playground-CVE-2025-61922

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.