CVE-2018-20717
Description
PrestaShop before 1.7.2.5 allows authenticated users with Salesman or higher privileges to inject serialized objects leading to remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PrestaShop before 1.7.2.5 allows authenticated users with Salesman or higher privileges to inject serialized objects leading to remote code execution.
Vulnerability
The vulnerability resides in the orders section of PrestaShop versions before 1.7.2.5. The component fails to properly validate serialized objects within the request handling. The security check looks for a pattern of 0: followed by an integer, but it does not consider 0:+ followed by an integer, allowing an attacker to bypass the protection. This permits the injection of arbitrary PHP objects into the application process [1][3].
Exploitation
An attacker must first gain access to a target store with a user role having at least Salesman privileges or higher. With such access, they can craft a malicious serialized PHP object string using the 0:+ bypass pattern. By injecting this payload into the orders section workflow, the object is deserialized and executed within the application context [1][3].
Impact
Successful exploitation results in arbitrary PHP object injection and chaining, leading to Remote Code Execution (RCE). The attacker can execute arbitrary PHP code on the PrestaShop server, potentially leading to full compromise of the application and its data [1][3].
Mitigation
The issue is fixed in PrestaShop version 1.7.2.5 and later. Users should upgrade to the latest patched version immediately. There are no known workarounds for unpatched installations [1][2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
prestashop/prestashopPackagist | < 1.7.2.5 | 1.7.2.5 |
Affected products
2- Range: 1.6.0.1, 1.6.0.3, 1.6.1.0, …
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-xx67-2j3v-h76pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-20717ghsaADVISORY
- blog.ripstech.com/2018/prestashop-remote-code-executionghsaWEB
- blog.ripstech.com/2018/prestashop-remote-code-execution/mitrex_refsource_MISC
- build.prestashop.com/news/prestashop-1-7-2-5-maintenance-releaseghsaWEB
- build.prestashop.com/news/prestashop-1-7-2-5-maintenance-release/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.