PrestaShop Checkout allows customer account takeover via email
Description
PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. Starting in version 1.3.0 and prior to versions 4.4.1 and 5.0.5, missing validation on the Express Checkout feature allows silent login, enabling account takeover via email. The vulnerability is fixed in versions 4.4.1 and 5.0.5. No known workarounds exist.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing validation in PrestaShop Checkout's Express Checkout feature allows silent login, enabling account takeover via email in versions 1.3.0 through prior to 4.4.1 and 5.0.5.
CVE-2025-61922 describes a missing validation vulnerability in the Express Checkout feature of PrestaShop Checkout, the official payment module in partnership with PayPal. The flaw allows an attacker to silently log in as any user, effectively enabling account takeover via email. The issue was introduced in version 1.3.0 and affects all versions prior to 4.4.1 and 5.0.5 [1][3].
The attack requires no special authentication; the lack of validation on the Express Checkout flow means that an attacker can initiate a login using only a target email address. This bypasses normal authentication checks and grants unauthorized access to the victim's account. The vulnerability is particularly dangerous because it is silent—no additional verification is prompted [3].
Successful exploitation leads to full account takeover, allowing the attacker to access the victim's PrestaShop account, view personal information, and potentially make fraudulent transactions. The impact is severe as it compromises both user privacy and financial security [1][3].
The vulnerability has been patched in versions 4.4.1 and 5.0.5 of PrestaShop Checkout, corresponding to build numbers 7.4.4.1/8.4.4.1 for v4 and 7.5.0.5/8.5.0.5/9.5.0.5 for v5. No workarounds are available; users must upgrade to the fixed versions [3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
prestashop/ps_checkoutPackagist | >= 1.3.0, < 4.4.1 | 4.4.1 |
prestashop/ps_checkoutPackagist | >= 5.0.0, < 5.0.5 | 5.0.5 |
Affected products
2>= 1.3.0, < 4.4.1 || >= 5.0.0, < 5.0.5+ 1 more
- (no CPE)range: >= 1.3.0, < 4.4.1 || >= 5.0.0, < 5.0.5
- (no CPE)range: >= 1.3.0, < 4.4.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-54hq-mf6h-48xhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-61922ghsaADVISORY
- github.com/PrestaShopCorp/ps_checkout/security/advisories/GHSA-54hq-mf6h-48xhghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.