PrestaShop (ps_checkout module), Unauthorized Method Invocation, GHSA-mqq7-wxx5-mp8h (Low)

By /

Listen to this Post

The vulnerability arises from improper input validation (CWE-20) in the PrestaShop ps_checkout module. Attackers can send crafted HTTP requests containing an unvalidated parameter, such as action, method, or controller. This parameter is passed unsanitized to internal method dispatchers, allowing the invocation of arbitrary module methods without proper authorization checks. The affected code fails to verify the caller’s context or permissions before executing the requested method. Exploitation is network‑based, requires low complexity, no privileges, and no user interaction (CVSS 4.0 vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U). Once invoked, the unauthorized method may perform small, unspecified changes leading to limited impact on integrity. The advisory confirms “very little possibilities” and no confidentiality or availability impact. Versions below 5.3.0 are vulnerable. Patched versions include 5.3.0 for PrestaShop 1.7, 8, and 9. The vulnerability was reported by PATICEO and fixed on April 23, 2026, with builds 7.5.3.0, 8.5.3.0, and 9.5.3.0 respectively. This is a low‑severity issue, scored 2.7 under CVSS v4, and is not associated with any CVE identifier.

Platform: PrestaShop ps_checkout
Version: <5.3.0
Vulnerability: Unauthorized method invocation
Severity: Low
date: 2026-04-23
Prediction: Patch available 2026-04-23

What Undercode Say:

Check installed ps_checkout version
composer show prestashop/ps_checkout | grep versions
Update to patched version 5.3.0
composer require prestashop/ps_checkout:5.3.0
Verify patch by checking build number (PrestaShop 1.7 example)
php -r "echo \Configuration::get('PS_CHECKOUT_BUILD_NUMBER');"

Exploit:

Send crafted request with malicious 'action' parameter
curl -X POST "https://target-shop.com/module/ps_checkout/front?action=unauthorizedMethod" \
-d "unvalidated_param=malicious_value"

Protection from this CVE:

  • Upgrade to ps_checkout v5.3.0 or later.
  • Apply input validation on all controller parameters.
  • Restrict method invocation by whitelisting allowed actions.

Impact:

  • Low integrity impact (limited unauthorized method calls).
  • No confidentiality or availability compromise.
  • Minimal exploitation possibilities as per advisory.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top