CVE-2018-19125

HIGH

PrestaShop <1.6.1.23, <1.7.4.4 - Path Traversal

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-19125. PoCs published by Fariskhi Vidyan.

AI-analyzed exploit summary This exploit chains multiple vulnerabilities in PrestaShop to achieve remote code execution via deserialization of a malicious PHAR file. It leverages file upload and directory manipulation to trigger the payload.

Description

PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 allows remote attackers to delete an image directory.

Exploits (1)

exploitdb WORKING POC
by Fariskhi Vidyan · phpwebappsphp
https://www.exploit-db.com/exploits/45964

This exploit chains multiple vulnerabilities in PrestaShop to achieve remote code execution via deserialization of a malicious PHAR file. It leverages file upload and directory manipulation to trigger the payload.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: PrestaShop 1.6.x <= 1.6.1.23 & 1.7.x <= 1.7.4.4
Auth required
Prerequisites: Valid back-office credentials · File upload access · PHAR extension enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/PrestaShop/PrestaShop/pull/11286
Patch, Third Party Advisory x_refsource_misc
https://github.com/PrestaShop/PrestaShop/pull/11285
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/45964/
Release Notes, Third Party Advisory x_refsource_misc
http://build.prestashop.com/news/prestashop-1-7-4-4-1-6-1-23-maintenance-releases/

Scores

CVSS v3 7.5
EPSS 0.1076
EPSS Percentile 95.3%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

Status published
Products (1)
prestashop/prestashop 1.6.0.1 - 1.6.1.23
Published Nov 09, 2018
Tracked Since Feb 18, 2026