PrestaShop Checkout Backoffice directory traversal allows arbitrary file disclosure
Description
PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. In versions prior to 4.4.1 and 5.0.5, the backoffice is missing validation on input resulting in a directory traversal and arbitrary file disclosure. The vulnerability is fixed in versions 4.4.1 and 5.0.5. No known workarounds exist.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PrestaShop Checkout backoffice lacks input validation, allowing directory traversal and arbitrary file disclosure; fixed in 4.4.1 and 5.0.5.
What is the vulnerability?
PrestaShop Checkout, the official payment module in partnership with PayPal, contains a directory traversal vulnerability in its backoffice interface. Due to missing validation on input, an attacker can traverse directories and disclose arbitrary files from the server. This affects versions prior to 4.4.1 and 5.0.5 [1][3].
How is it exploited?
The vulnerability resides in the backoffice functionality, requiring authentication to access. An authenticated user can craft specially crafted input that bypasses path sanitization, allowing them to read files outside the intended directory. The impact is limited to file disclosure; no code execution has been reported [3].
Impact
An attacker with backoffice access can read sensitive files, such as configuration files containing database credentials or other secrets, potentially leading to further compromise of the PrestaShop installation [1].
Mitigation
The issue has been fixed in versions 4.4.1 (for PrestaShop 1.7 and 8) and 5.0.5 (for PrestaShop 1.7, 8, and 9). No known workarounds exist; users must update to the patched versions [1][3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
prestashop/ps_checkoutPackagist | < 4.4.1 | 4.4.1 |
prestashop/ps_checkoutPackagist | >= 5.0.0, < 5.0.5 | 5.0.5 |
Affected products
2<4.4.1 >=4.0.0 (or <5.0.5 for v5 line)+ 1 more
- (no CPE)range: <4.4.1 >=4.0.0 (or <5.0.5 for v5 line)
- (no CPE)range: < 4.4.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-fpxp-pfqm-x54wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-61923ghsaADVISORY
- github.com/PrestaShopCorp/ps_checkout/security/advisories/GHSA-fpxp-pfqm-x54wghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.