CVE-2025-61922

CRITICAL

Prestashop Checkout < 7.4.4.1 - Authentication Bypass

Title source: rule

Description

PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. Starting in version 1.3.0 and prior to versions 4.4.1 and 5.0.5, missing validation on the Express Checkout feature allows silent login, enabling account takeover via email. The vulnerability is fixed in versions 4.4.1 and 5.0.5. No known workarounds exist.

Exploits (2)

nomisec WORKING POC 8 stars

by g0vguy · poc

https://github.com/g0vguy/CVE-2025-61922-PoC

View Code ZIP pw:eip

nomisec STUB

by captaincookie34 · poc

https://github.com/captaincookie34/Vulnerability-Playground-CVE-2025-61922

View Code ZIP pw:eip

References (1)

[Patch, Vendor Advisory] https://github.com/PrestaShopCorp/ps_checkout/security/advisories/GHSA-54hq-mf6h-48xh

Scores

CVSS v3 9.1

EPSS 0.0002

EPSS Percentile 4.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Details

CWE

CWE-287

Status published

Products (2)

prestashop/prestashop_checkout 1.3.0 - 7.4.4.1

prestashop/ps_checkout 1.3.0 - 4.4.1Packagist

Published Oct 16, 2025

Tracked Since Feb 18, 2026