Account Takeover Vulnerability in PrestaShop Checkout Payment Module

CVE-2025-61922

What is CVE-2025-61922?

CVE-2025-61922 is a security vulnerability found in the PrestaShop Checkout payment module, which is the official payment solution for PrestaShop utilized in conjunction with PayPal for e-commerce transactions. This vulnerability arises from inadequate validation in the Express Checkout feature, allowing unauthorized users to perform silent logins and take control of customer accounts by leveraging only their email addresses. Such a compromise can threaten the integrity and security of customer data and financial transactions, resulting in potential financial losses and damage to the reputation of affected organizations. The vulnerability affects versions 1.3.0 through to versions 4.4.1 and 5.0.5 of the module, and the developers have released fixes in the latter versions. Organizations using the vulnerable versions are at significant risk if they fail to apply the necessary updates.

Potential impact of CVE-2025-61922

1. Account Takeover: The primary risk associated with this vulnerability is the potential for account takeover by malicious actors, which can lead to unauthorized access to sensitive customer information, including personal identification and payment details.

2. Financial Fraud: Exploiting this vulnerability could lead to fraudulent transactions, putting customer financial data at risk and exposing organizations to monetary losses, chargebacks, and associated legal liabilities.

3. Reputational Damage: Organizations affected by account takeovers may suffer significant reputational harm, eroding customer trust and confidence in their services. This could lead to decreased sales and long-term damage to brand integrity.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References