Listen to this Post
CVE-2026-54159 is a critical PHP Object Injection vulnerability discovered in the PrestaShop ps_facetedsearch module. This module powers product filtering on a very large share of PrestaShop stores.
The vulnerability exists because the module rebuilds selected search filters directly from the request URL. When a slider filter (price or weight) is used, its value is taken from the URL without sufficient validation. This unsanitized value is then stored in an internal filter-block cache, where it gets serialized. Later, the module reads this cached data back using PHP’s native `unserialize()` function.
By crafting a malicious value for the slider filter parameter, an attacker can inject a serialized PHP object into the cache. When this object is deserialized by the native `unserialize()` call, a gadget chain can be triggered. This gadget chain allows the attacker to write an arbitrary PHP file inside the module’s directory. This file then serves as a webshell, enabling the attacker to execute arbitrary system commands on the server.
Exploitation is remote and unauthenticated; a single crafted front-office request is sufficient. Successful exploitation leads to remote code execution (RCE) and full compromise of the shop and its underlying server.
Affected versions include ps_facetedsearch 3.0.0 through 4.0.3 (all versions since 3.0.0, including the latest release at the time of discovery). The issue affects any shop running PrestaShop 1.7.1.0 or newer.
The vulnerability was responsibly reported by Frédéric Moreau (Antadis) and Gilles Caudal (Datalinx).
DailyCVE Form
| Field | Value |
|-|-|
| Platform | PrestaShop |
| Version | ps_facetedsearch 3.0.0–4.0.3 |
| Vulnerability | PHP Object Injection |
| Severity | Critical |
| Date | 2026-07-10 |
| Prediction | Patch by 2026-06-03 |
What Undercode Say: Analytics
The vulnerability is triggered through the slider filter parameter in the search URL. The following analytics can help detect exploitation attempts:
Monitor search requests for PHP serialization patterns:
Check access logs for serialization payloads
grep -E "O:[0-9]+:|;i:[0-9]+;" /var/log/nginx/access.log
Monitor for Monolog class references (common gadget chain)
grep -E "Monolog\" /var/log/nginx/access.log
Check for suspicious files in the module directory
find /path/to/prestashop/modules/ps_facetedsearch/ -type f -name ".php" -mtime -7 -exec ls -la {} \;
Audit for unexpected PHP files
find /path/to/prestashop/modules/ps_facetedsearch/ -type f -name ".php" ! -name "index.php" -exec grep -l "<?php" {} \;
Clear the faceted-search filter cache after applying mitigations:
Clear cache via PrestaShop CLI (if available) php bin/console cache:clear Or manually remove cache files rm -rf /path/to/prestashop/var/cache/
Exploit
An attacker crafts a malicious serialized PHP object and injects it via the slider filter parameter in the URL:
https://target-shop.com/module/ps_facetedsearch/filter?slider_price=O:...:...{...}
The payload exploits the PHP Object Injection to trigger a gadget chain. Common gadget chains in PrestaShop environments leverage classes like `Monolog\…` to achieve arbitrary file write. The chain writes a webshell to:
/path/to/prestashop/modules/ps_facetedsearch/shell.php
Once written, the attacker accesses the webshell to execute commands:
https://target-shop.com/modules/ps_facetedsearch/shell.php?cmd=id
Exploitation characteristics:
- Unauthenticated (no login required)
- Remote attack vector
- Single HTTP request sufficient
- Leads to full server compromise
Protection
1. Upgrade the module (recommended)
Upgrade ps_facetedsearch to v4.0.4 or later. This is the only complete remediation.
2. Manual patch (if upgrade is not immediately possible)
Apply the fix in `src/Filters/Block.php`:
// Before (vulnerable)
if (!empty($row)) {
return unserialize(current($row));
}
// After (patched)
if (!empty($row)) {
return \Tools::unSerialize(current($row));
}
3. Compensating controls (temporary)
- Remove price and weight slider filters from filter templates exposed on the front office
- Clear the faceted-search filter cache
- Audit the `modules/ps_facetedsearch/` directory for unexpected PHP files
- Block serialization patterns at the WAF level (
O:,;i:,Monolog\…)
4. Post-mitigation audit
Check for signs of prior exploitation:
- Unexpected PHP files in `modules/ps_facetedsearch/`
– Modified module files - Unusual entries in access logs containing serialization patterns
Impact
| Aspect | Details |
|–||
| CWE | CWE-20 (Improper Input Validation) |
| CVSS v4.0 | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber |
| Attack Vector | Remote, unauthenticated |
| Confidentiality | High (full data exposure) |
| Integrity | High (arbitrary file write) |
| Availability | High (server compromise) |
| Exploit Availability | No public exploit at time of disclosure |
Business Impact:
- Complete compromise of the PrestaShop store and its server
- Theft of customer data (PII, payment information)
- Defacement or ransomware
- Permanent damage to brand reputation
- Regulatory fines (GDPR, PCI-DSS violations)
The module is widely installed across the PrestaShop ecosystem, making this a high-priority update for every merchant using it.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

