PrestaShop Checkout Target PayPal merchant account hijacking from backoffice
Description
PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. In versions prior to 4.4.1 and 5.0.5, the Target PayPal merchant account hijacking from backoffice due to wrong usage of the PHP array_search(). The vulnerability is fixed in versions 4.4.1 and 5.0.5. No known workarounds exist.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PrestaShop Checkout payment module vulnerable to PayPal merchant account hijacking due to improper use of PHP array_search(), fixed in versions 4.4.1 and 5.0.5.
Vulnerability
Description
The PrestaShop Checkout module, the official payment module integrating PayPal, contains a vulnerability in versions prior to 4.4.1 and 5.0.5. The issue stems from the incorrect usage of PHP's array_search() function, which allows an attacker to bypass validation checks and hijack the target PayPal merchant account from the backoffice [1][3].
Exploitation
Scenario
An attacker with backoffice access can exploit this flaw to modify the PayPal merchant account settings, effectively taking control of payment processing. The vulnerability does not require unusual privileges beyond standard backoffice access, making it a significant risk for merchants running affected versions [1][3].
Impact
Successful exploitation enables an attacker to hijack the PayPal merchant account, potentially intercepting or redirecting payments made through the store. This can lead to financial loss and reputational damage for the merchant [3].
Mitigation
The issue has been patched in versions 4.4.1 (for PrestaShop 1.7 and 8) and 5.0.5 (for PrestaShop 1.7, 8, and 9). No known workarounds exist, so upgrading to the latest patched version is strongly recommended [1][3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
prestashop/ps_checkoutPackagist | < 4.4.1 | 4.4.1 |
prestashop/ps_checkoutPackagist | >= 5.0.0, < 5.0.5 | 5.0.5 |
Affected products
2<4.4.1, <5.0.5+ 1 more
- (no CPE)range: <4.4.1, <5.0.5
- (no CPE)range: < 4.4.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-wvpg-4wrh-5889ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-61924ghsaADVISORY
- github.com/PrestaShopCorp/ps_checkout/security/advisories/GHSA-wvpg-4wrh-5889ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.