PrestaShop, Authentication Bypass, CVE-2025-22094 (Low)

By /

Listen to this Post

The vulnerability in PrestaShop’s ps_checkout module stems from an insecure use of the PHP `array_search()` function for PayPal merchant ID validation. The function is used to verify if a user-submitted PayPal Merchant ID exists on a pre-defined allowlist. However, `array_search()` returns the key of the found element or `false` if nothing is found. The code then uses a loose comparison (like if (array_search(...))) to check the result. An attacker can exploit this by submitting the integer `0` as their Merchant ID. If this ID is the first element in the allowlist (at key 0), `array_search()` returns 0. In a loose comparison, the integer `0` is treated as false, causing the validation check to fail and incorrectly deny a legitimate ID. Conversely, and more critically for the bypass, if the validation logic is inverted, this behavior could allow an attacker to bypass the check entirely by forcing a `false` return value, potentially permitting the association of an unauthorized PayPal account.
Platform: PrestaShop Checkout
Version: <4.4.1, 5.0.0-5.0.4
Vulnerability: Authentication Bypass
Severity: Low

date: 2024-10-16

Prediction: Patch available

What Undercode Say:

Simulating the vulnerable array_search logic
php -r "$allowlist = ['A12345', 'B67890']; $input = '0'; $result = array_search($input, $allowlist); var_dump($result); if (!$result) { echo 'Access Denied (Bypass Possible)'; }"

// Vulnerable Code Snippet (Conceptual)
$allowedMerchantIds = ['6XF3MPZQ6VQHS', 'EXAMPLE123'];
$userInput = $_POST['paypal_merchant_id']; // Attacker controls this
// This check can be bypassed
if (array_search($userInput, $allowedMerchantIds)) {
// Grant access
}

// Patched Code Snippet (Conceptual)
// Uses strict type checking
if (array_search($userInput, $allowedMerchantIds) !== false) {
// Grant access
}

How Exploit:

Craft malicious PayPal ID.

Submit ‘0’ or other values.

Bypass allowlist validation.

Hijack merchant account linkage.

Protection from this CVE

Upgrade to ps_checkout v4.4.1.

Or upgrade to v5.0.5.

Implement strict comparisons (`!==`).

Validate user input rigorously.

Impact:

PayPal account hijacking.

Financial loss.

Unauthorized transaction access.

Reputation damage.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top