CVE-2026-39079

Vulnerability

The upsshipping module for PrestaShop, all versions through at least 2.4.0, contains a sensitive information disclosure vulnerability due to missing access controls on the /modules/upsshipping/logs/ directory [1]. XML log files containing UPS API credentials, shipper account numbers, customer personally identifiable information (PII), and merchant tax identification numbers are directly web-accessible without authentication [1]. The issue is classified as CWE-552 (Files or Directories Accessible to External Parties) and CWE-532 (Insertion of Sensitive Information into Log File) [1]. The module lacks .htaccess or equivalent protections on the logs directory, and no authentication is required to read its contents [1].

Exploitation

An attacker with network access to the PrestaShop instance can enumerate predictable URLs under /modules/upsshipping/logs/ and retrieve XML log files [1]. No authentication, user interaction, or special network position beyond basic HTTP access is required [1]. The attack is remote and does not depend on any prior permissions [1].

Impact

Successful exploitation allows a remote unauthenticated attacker to obtain sensitive information including UPS API credentials, shipper account numbers, customer PII, and merchant tax identification numbers [1]. The scope is changed (CVSS scope: Changed) because the exposed credentials and technical data belong to a separate security authority (the merchant’s UPS account / UPS API platform) alongside customer data [1]. The confidentiality impact is high; integrity and availability are not affected [1].

Mitigation

The vendor (Agence Web 360) is defunct and no official patch is available or expected [1]. As of this writing, the domain agence-web-360.com is listed for sale, and prior contact attempts have received no response [1]. Site administrators should remove or rename the /modules/upsshipping/logs/ directory, implement web-server-level access controls (e.g., deny all requests to the logs path), and replace any exposed credentials following the disclosure [1]. Since no fix exists, removal of the module may be the safest long-term action [1].