CVE-2025-61924
BaseFortify
Publication date: 2025-10-16
Last updated on: 2025-12-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| prestashop | prestashop_checkout | to 7.4.4.1 (exc) |
| prestashop | prestashop_checkout | From 7.5.0.1 (inc) to 7.5.0.5 (exc) |
| prestashop | prestashop_checkout | From 8.3.1.0 (inc) to 8.4.4.1 (exc) |
| prestashop | prestashop_checkout | From 8.5.0.0 (inc) to 8.5.0.5 (exc) |
| prestashop | prestashop_checkout | From 9.4.3.1 (inc) to 9.5.0.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-184 | The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in PrestaShop Checkout, the official payment module partnered with PayPal, involves a flaw in versions prior to 4.4.1 and 5.0.5 where improper use of the PHP array_search() function allows an attacker to hijack the target PayPal merchant account from the backoffice.
How can this vulnerability impact me? :
The vulnerability can lead to the hijacking of the PayPal merchant account associated with the PrestaShop Checkout module, potentially allowing unauthorized access or control over payment transactions, which could result in financial loss or fraud.
What immediate steps should I take to mitigate this vulnerability?
Upgrade PrestaShop Checkout to version 4.4.1 or 5.0.5 or later, as these versions contain the fix for the vulnerability. No known workarounds exist.