VYPR

Vendor CVEs

Prestashop

All CVEs

221 total · sorted by risk
  • CVE-2018-8823CriMar 28, 2018
    risk 0.68cvss 9.8epss 0.52

    modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module 1.0.32 for PrestaShop 1.5.5.0 through 1.7.2.5 allows remote attackers to execute arbitrary PHP code via the code parameter.

  • CVE-2018-10942CriMay 10, 2018
    risk 0.65cvss 9.8epss 0.13

    modules/attributewizardpro/file_upload.php in the Attribute Wizard addon 1.6.9 for PrestaShop 1.4.0.1 through 1.6.1.18 allows remote attackers to execute arbitrary code by uploading a .phtml file.

  • CVE-2025-69633CriFeb 13, 2026
    risk 0.64cvss 9.8epss 0.00

    A SQL Injection vulnerability in the Advanced Popup Creator (advancedpopupcreator) module for PrestaShop 1.1.26 through 1.2.6 (Fixed in version 1.2.7) allows remote unauthenticated attackers to execute arbitrary SQL queries via the fromController parameter in the popup…

  • CVE-2024-33275CriApr 30, 2024
    risk 0.64cvss 9.8epss 0.01

    SQL injection vulnerability in Webbax supernewsletter v.1.4.21 and before allows a remote attacker to escalate privileges via the Super Newsletter module in the product_search.php components.

  • CVE-2024-28394CriMar 19, 2024
    risk 0.64cvss 9.8epss 0.01

    An issue in Advanced Plugins reportsstatistics v1.3.20 and before allows a remote attacker to execute arbitrary code via the Sales Reports, Statistics, Custom Fields & Export module.

  • CVE-2023-36263CriOct 31, 2023
    risk 0.64cvss 9.8epss 0.00

    Prestashop opartlimitquantity 1.4.5 and before is vulnerable to SQL Injection. OpartlimitquantityAlertlimitModuleFrontController::displayAjaxPushAlertMessage()` has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

  • CVE-2023-34576CriSep 21, 2023
    risk 0.64cvss 9.8epss 0.01

    SQL injection vulnerability in updatepos.php in PrestaShop opartfaq through 1.0.3 allows remote attackers to run arbitrary SQL commands via unspedified vector.

  • CVE-2023-34575CriSep 20, 2023
    risk 0.64cvss 9.8epss 0.01

    SQL injection vulnerability in PrestaShop opartsavecart through 2.0.7 allows remote attackers to run arbitrary SQL commands via OpartSaveCartDefaultModuleFrontController::initContent() and OpartSaveCartDefaultModuleFrontController::displayAjaxSendCartByEmail() methods.

  • CVE-2018-8824CriMay 10, 2018
    risk 0.64cvss 9.8epss 0.01

    modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module 1.0.32 for PrestaShop 1.5.5.0 through 1.7.2.5 allows remote attackers to execute a SQL Injection through function calls in the code parameter.

  • CVE-2026-44212CriMay 14, 2026
    risk 0.53cvss 9.3epss 0.00

    PrestaShop is an open source e-commerce web application. Prior to 8.2.6 and 9.1.1, there is a stored Cross-Site Scripting (XSS) vulnerability in the PrestaShop back-office Customer Service view. An unauthenticated attacker can submit the public Contact Us form with a malicious…

  • CVE-2026-39079HigMay 18, 2026
    risk 0.49cvss 7.5epss 0.00

    An issue in prestashop upsshipping all versions through at least 2.4.0 allows a remote attacker to obtain sensitive information via the /modules/upsshipping/logs/, and /modules/upsshipping/lib/UPSBaseApi.php components

  • CVE-2024-36682HigJun 24, 2024
    risk 0.49cvss 7.5epss 0.00

    In the module "Theme settings" (pk_themesettings) <= 1.8.8 from Promokit.eu for PrestaShop, a guest can download all email collected while SHOP is in maintenance mode. Due to a lack of permissions control, a guest can access the txt file which collect email when maintenance is…

  • CVE-2024-33270HigApr 30, 2024
    risk 0.49cvss 7.5epss 0.01

    An issue in FME Modules fileuploads v.2.0.3 and before and fixed in v2.0.4 allows a remote attacker to obtain sensitive information via the uploadfiles.php component.

  • CVE-2026-33673HigMar 26, 2026
    risk 0.42cvss 7.6epss 0.00

    PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 are vulnerable to stored Cross-Site Scripting (stored XSS) vulnerabilities in the BO. An attacker who can inject data into the database, via limited back-office access or a previously…

  • CVE-2023-30148MedOct 14, 2023
    risk 0.40cvss 6.1epss 0.00

    Multiple Stored Cross Site Scripting (XSS) vulnerabilities in Opart opartmultihtmlblock before version 2.0.12 and Opart multihtmlblock* version 1.0.0, allows remote authenticated users to inject arbitrary web script or HTML via the body_text or body_text_rude field in…

  • CVE-2018-5682MedJan 13, 2018
    risk 0.35cvss 5.3epss 0.01

    PrestaShop 1.7.2.4 allows user enumeration via the Reset Password feature, by noticing which reset attempts do not produce a "This account does not exist" error message.

  • CVE-2018-5681MedJan 13, 2018
    risk 0.35cvss 5.4epss 0.01

    PrestaShop 1.7.2.4 has XSS via source-code editing on the "Pages > Edit page" screen.

  • CVE-2025-24027MedJan 22, 2025
    risk 0.33cvss 6.2epss 0.00

    ps_contactinfo, a PrestaShop module for displaying store contact information, has a cross-site scripting (XSS) vulnerability in versions up to and including 3.3.2. This can not be exploited in a fresh install of PrestaShop, only shops made vulnerable by third party modules are…

  • CVE-2025-1230MedFeb 12, 2025
    risk 0.31cvss 4.8epss 0.00

    Stored Cross-Site Scripting (XSS) vulnerability in Prestashop 8.1.7, due to the lack of proper validation of user input through ‘/<admin_directory>/index.php’, affecting the ‘link’ parameter. This vulnerability could allow a remote user to send a specially crafted query…

  • CVE-2023-45375Oct 17, 2023
    risk 0.07cvss epss 0.38

    In the module "PireosPay" (pireospay) before version 1.7.10 from 01generator.com for PrestaShop, a guest can perform SQL injection via `PireosPayValidationModuleFrontController::postProcess().`

  • CVE-2023-27640Jun 1, 2023
    risk 0.07cvss epss 0.04

    An issue was discovered in the tshirtecommerce (aka Custom Product Designer) component 2.1.4 for PrestaShop. An HTTP request can be forged with the POST parameter type in the /tshirtecommerce/fonts.php endpoint, to allow a remote attacker to traverse directories on the system in…

  • CVE-2023-27639Jun 1, 2023
    risk 0.07cvss epss 0.04

    An issue was discovered in the tshirtecommerce (aka Custom Product Designer) component 2.1.4 for PrestaShop. An HTTP request can be forged with the POST parameter file_name in the tshirtecommerce/ajax.php?type=svg endpoint, to allow a remote attacker to traverse directories on…

  • CVE-2023-27034Mar 23, 2023
    risk 0.07cvss epss 0.59

    PrestaShop jmsblog 2.5.5 was discovered to contain a SQL injection vulnerability.

  • CVE-2022-22897Aug 29, 2022
    risk 0.07cvss epss 0.11

    A SQL injection vulnerability in the product_all_one_img and image_product parameters of the ApolloTheme AP PageBuilder component through 2.4.4 for PrestaShop allows unauthenticated attackers to exfiltrate database data.

  • CVE-2026-33674LowMar 26, 2026
    risk 0.06cvss 2.0epss 0.00

    PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 improperly use the validation framework. Versions 8.2.5 and 9.1.0 contain a fix. No known workarounds are available.

  • CVE-2023-46347Oct 25, 2023
    risk 0.06cvss epss 0.50

    In the module "Step by Step products Pack" (ndk_steppingpack) version 1.5.6 and before from NDK Design for PrestaShop, a guest can perform SQL injection. The method `NdkSpack::getPacks()` has sensitive SQL calls that can be executed with a trivial http call and exploited to…

  • CVE-2023-39677Sep 20, 2023
    risk 0.06cvss epss 0.31

    MyPrestaModules Prestashop Module v6.2.9 and UpdateProducts Prestashop Module v3.6.9 were discovered to contain a PHPInfo information disclosure vulnerability via send.php.

  • CVE-2023-27847Mar 27, 2023
    risk 0.06cvss epss 0.05

    SQL injection vulnerability found in PrestaShop xipblog v.2.0.1 and before allow a remote attacker to gain privileges via the xipcategoryclass and xippostsclass components.

  • CVE-2021-3110Jan 20, 2021
    risk 0.06cvss epss 0.21

    The store system in PrestaShop 1.7.7.0 allows time-based boolean SQL injection via the module=productcomments controller=CommentGrade id_products[] parameter.

  • CVE-2023-30194May 10, 2023
    risk 0.05cvss epss 0.32

    Prestashop posstaticfooter <= 1.0.0 is vulnerable to SQL Injection via posstaticfooter::getPosCurrentHook().

  • CVE-2018-19126Nov 9, 2018
    risk 0.05cvss epss 0.23

    PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 allows remote attackers to execute arbitrary code via a file upload.

  • CVE-2023-30150Jun 14, 2023
    risk 0.04cvss epss 0.04

    PrestaShop leocustomajax 1.0 and 1.0.0 are vulnerable to SQL Injection via modules/leocustomajax/leoajax.php.

  • CVE-2018-19125Nov 9, 2018
    risk 0.04cvss epss 0.11

    PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 allows remote attackers to delete an image directory.

  • CVE-2018-13784CriJul 9, 2018
    risk 0.04cvss 9.1epss 0.17

    PrestaShop before 1.6.1.20 and 1.7.x before 1.7.3.4 mishandles cookie encryption in Cookie.php, Rinjdael.php, and Blowfish.php.

  • CVE-2014-2009Sep 12, 2014
    risk 0.04cvss epss 0.07

    The mPAY24 payment module before 1.6 for PrestaShop allows remote attackers to obtain credentials, the installation path, and other sensitive information via a direct request to api/curllog.log.

  • CVE-2024-41651Aug 12, 2024
    risk 0.03cvss epss 0.01

    An issue in Prestashop v.8.1.7 and before allows a remote attacker to execute arbitrary code via the module upgrade functionality. NOTE: this is disputed by multiple parties, who report that exploitation requires that an attacker be able to hijack network requests made by an…

  • CVE-2023-30198Jun 12, 2023
    risk 0.03cvss epss 0.06

    Prestashop winbizpayment <= 1.0.2 is vulnerable to Incorrect Access Control via modules/winbizpayment/downloads/download.php.

  • CVE-2023-27032Apr 12, 2023
    risk 0.03cvss epss 0.03

    Prestashop advancedpopupcreator v1.1.21 to v1.1.24 was discovered to contain a SQL injection vulnerability via the component AdvancedPopup::getPopups().

  • CVE-2012-2517Feb 11, 2020
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in PrestaShop before 1.4.9 allows remote attackers to inject arbitrary web script or HTML via the index of the product[] parameter to ajax.php.

  • CVE-2011-4545Dec 2, 2011
    risk 0.03cvss epss 0.04

    CRLF injection vulnerability in admin/displayImage.php in Prestashop 1.4.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the name parameter.

  • CVE-2011-4544Dec 1, 2011
    risk 0.03cvss epss 0.03

    Multiple cross-site scripting (XSS) vulnerabilities in Prestashop before 1.5 allow remote attackers to inject arbitrary web script or HTML via the (1) address or (2) relativ_base_dir parameter to modules/mondialrelay/googlemap.php; the (3) relativ_base_dir, (4) Pays, (5) Ville,…

  • CVE-2008-6503Mar 20, 2009
    risk 0.03cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in PrestaShop 1.1.0.3 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) admin/login.php and (2) order.php.

  • CVE-2023-30149Jun 2, 2023
    risk 0.01cvss epss 0.18

    SQL injection vulnerability in the City Autocomplete (cityautocomplete) module from ebewe.net for PrestaShop, prior to version 1.8.12 (for PrestaShop version 1.5/1.6) or prior to 2.0.3 (for PrestaShop version 1.7), allows remote attackers to execute arbitrary SQL commands via…

  • CVE-2018-19355Nov 19, 2018
    risk 0.01cvss epss 0.04

    modules/orderfiles/ajax/upload.php in the Customer Files Upload addon 2018-08-01 for PrestaShop (1.5 through 1.7) allows remote attackers to execute arbitrary code by uploading a php file via modules/orderfiles/upload.php with auptype equal to product (for upload destinations…

  • CVE-2026-25597Feb 6, 2026
    risk 0.00cvss epss 0.00

    PrestaShop is an open source e-commerce web application. Prior to 8.2.4 and 9.0.3, there is a time-based user enumeration vulnerability in the user authentication functionality of PrestaShop. This vulnerability allows an attacker to determine whether a customer account exists in…

  • CVE-2025-61924Oct 16, 2025
    risk 0.00cvss epss 0.00

    PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. In versions prior to 4.4.1 and 5.0.5, the Target PayPal merchant account hijacking from backoffice due to wrong usage of the PHP array_search(). The vulnerability is fixed in versions 4.4.1…

  • CVE-2025-61923Oct 16, 2025
    risk 0.00cvss epss 0.01

    PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. In versions prior to 4.4.1 and 5.0.5, the backoffice is missing validation on input resulting in a directory traversal and arbitrary file disclosure. The vulnerability is fixed in versions…

  • CVE-2025-61922Oct 16, 2025
    risk 0.00cvss epss 0.00

    PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. Starting in version 1.3.0 and prior to versions 4.4.1 and 5.0.5, missing validation on the Express Checkout feature allows silent login, enabling account takeover via email. The…

  • CVE-2025-51586Sep 8, 2025
    risk 0.00cvss epss 0.01

    An issue was discoverd in file controllers/admin/AdminLoginController.php in PrestaShop before 8.2.1 allowing attackers to gain sensitive information via the reset password feature.

  • CVE-2025-25692Jul 30, 2025
    risk 0.00cvss epss 0.01

    A PHAR deserialization vulnerability in the _getHeaders function of PrestaShop v8.2.0 allows attackers to execute arbitrary code via a crafted POST request.

Page 1 of 5