CVE-2020-5250

HIGH

PrestaShop <1.7.6.4 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-5250. PoCs published by drkbcn.

AI-analyzed exploit summary This repository contains a patching tool for CVE-2020-5250, a vulnerability in PrestaShop. It includes PHP scripts to detect and apply patches to affected files, but does not contain an actual exploit. The code is functional for patching but lacks offensive exploit capabilities.

Description

In PrestaShop before version 1.7.6.4, when a customer edits their address, they can freely change the id_address in the form, and thus steal someone else's address. It is the same with CustomerForm, you are able to change the id_customer and change all information of all accounts. The problem is patched in version 1.7.6.4.

Exploits (1)

nomisec WRITEUP 1 stars
by drkbcn · poc
https://github.com/drkbcn/lblfixer_cve2020_5250

This repository contains a patching tool for CVE-2020-5250, a vulnerability in PrestaShop. It includes PHP scripts to detect and apply patches to affected files, but does not contain an actual exploit. The code is functional for patching but lacks offensive exploit capabilities.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: PrestaShop 1.7.X
Auth required
Prerequisites: Access to PrestaShop admin panel · Valid security token
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 7.6
EPSS 0.0085
EPSS Percentile 53.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

Details

CWE
CWE-285 CWE-552
Status published
Products (1)
prestashop/prestashop 1.7.0.0 - 1.7.6.4
Published Mar 05, 2020
Tracked Since Feb 18, 2026