-
[CVE-2026-39079] Sensitive data exposure via publicly accessible logs in upsshipping module from Agence Web 360 for PrestaShop
A sensitive data exposure vulnerability in the UPS Shipping Module (upsshipping) for PrestaShop, in all known versions up to and including 2.4.0, allows remote unauthenticated attackers to retrieve XML log files containing UPS API credentials, shipper account numbers and customer personal data through predictable URLs in the
modules/upsshipping/logs/directory. The vendor (Agence Web 360) is defunct and no patch will be released. -
[CVE-2025-69633] Improper neutralization of SQL parameters in Advanced Popup Creator module from Idnovate for PrestaShop
A SQL Injection vulnerability in the Advanced Popup Creator (advancedpopupcreator) module for PrestaShop, before version 1.2.7, allows remote unauthenticated attackers to execute arbitrary SQL queries via the fromController parameter in the popup controller.
-
[CVE-2025-61922] Customer account takeover via email in PrestaShop Checkout module for PrestaShop
Missing validation on Express Checkout feature in the PrestaShop Checkout module allows silent log-in, enabling customer account takeover via email.
-
[CVE-2025-51586] User enumeration vulnerability in the AdminLogin controller in PrestaShop 1.7 through 8.2.2
User enumeration vulnerability in the AdminLogin controller in PrestaShop 1.7 through 8.2.2 allows remote attackers to obtain administrators user email addresses via manipulation of the id_employee and reset_token parameters. An attacker who has access to the Back Office login URL can trigger the password reset form to disclose the associated email address in a hidden field, even when the provided reset token is invalid. This issue has been fixed in 8.2.3.
-
[CVE-2023-45256] Improper neutralization of SQL parameters in Monetico Paiement module from EuroInformation for PrestaShop
In the module Monetico Paiement (MoneticoPaiement), multiple insecure parameters can allow a remote attacker to perform a SQL injection attack.
-
[CVE-2024-6648] Absolute Path Traversal vulnerability in AP Page Builder versions prior to 4.0.0
Ap Page Builder is vulnerable to an absolute path traversal that allows the attacker to include system files by modifying the base64 config param submitted to apajax.php
-
[CVE-2025-24027] ps_contactinfo has potential XSS due to usage of the nofilter tag in template
ps_contactinfo has a cross-site scripting (XSS) weakness (which is not a standalone vulnerability) in versions up to and including 3.3.2
-
[CVE-2024-41670] Improperly Implemented Security Check for Standard in PayPal Official for PrestaShop
In the module “PayPal Official” for PrestaShop 1.7+ release <= 6.4.1 and for PrestaShop 1.6 release <= 3.18.0, a malicious customer can confirm as “payment accepted” an order even if payment is finally declined by PayPal.
-
[CVE-2024-36683] Improper neutralization of SQL parameter in Smart Modules - Products Alert module for PrestaShop
In the module “Products Alert” (productsalert) up to version 1.7.4 from Smart Modules for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2024-34989] Improper neutralization of SQL parameter in RSI PDF/HTML catalog evolution (prestapdf) module for PrestaShop
In the module RSI PDF/HTML catalog evolution (prestapdf) from RSI for PrestaShop, a guest can perform SQL injection in affected versions.