-
[CVE-2025-69633] Improper neutralization of SQL parameters in Advanced Popup Creator module from Idnovate for PrestaShop
A SQL Injection vulnerability in the Advanced Popup Creator (advancedpopupcreator) module for PrestaShop, before version 1.2.7, allows remote unauthenticated attackers to execute arbitrary SQL queries via the fromController parameter in the popup controller.
-
[CVE-2025-61922] Customer account takeover via email in PrestaShop Checkout module for PrestaShop
Missing validation on Express Checkout feature in the PrestaShop Checkout module allows silent log-in, enabling customer account takeover via email.
-
[CVE-2025-51586] User enumeration vulnerability in the AdminLogin controller in PrestaShop 1.7 through 8.2.2
User enumeration vulnerability in the AdminLogin controller in PrestaShop 1.7 through 8.2.2 allows remote attackers to obtain administrators user email addresses via manipulation of the id_employee and reset_token parameters. An attacker who has access to the Back Office login URL can trigger the password reset form to disclose the associated email address in a hidden field, even when the provided reset token is invalid. This issue has been fixed in 8.2.3.
-
[CVE-2023-45256] Improper neutralization of SQL parameters in Monetico Paiement module from EuroInformation for PrestaShop
In the module Monetico Paiement (MoneticoPaiement), multiple insecure parameters can allow a remote attacker to perform a SQL injection attack.
-
[CVE-2024-6648] Absolute Path Traversal vulnerability in AP Page Builder versions prior to 4.0.0
Ap Page Builder is vulnerable to an absolute path traversal that allows the attacker to include system files by modifying the base64 config param submitted to apajax.php
-
[CVE-2025-24027] ps_contactinfo has potential XSS due to usage of the nofilter tag in template
ps_contactinfo has a cross-site scripting (XSS) weakness (which is not a standalone vulnerability) in versions up to and including 3.3.2
-
[CVE-2024-41670] Improperly Implemented Security Check for Standard in PayPal Official for PrestaShop
In the module “PayPal Official” for PrestaShop 1.7+ release <= 6.4.1 and for PrestaShop 1.6 release <= 3.18.0, a malicious customer can confirm as “payment accepted” an order even if payment is finally declined by PayPal.
-
[CVE-2024-36683] Improper neutralization of SQL parameter in Smart Modules - Products Alert module for PrestaShop
In the module “Products Alert” (productsalert) up to version 1.7.4 from Smart Modules for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2024-34989] Improper neutralization of SQL parameter in RSI PDF/HTML catalog evolution (prestapdf) module for PrestaShop
In the module RSI PDF/HTML catalog evolution (prestapdf) from RSI for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2024-36682] Exposure of Private Personal Information to an Unauthorized Actor in Promokit.eu - Theme settings module for PrestaShop
In the module “Theme settings” (pk_themesettings) from Promokit.eu for PrestaShop, a guest can download all emails collected while SHOP is in maintenance mode.