Listen to this Post
This Stored Cross‑Site Scripting (XSS) vulnerability resides in the PrestaShop back‑office Customer Service view. An unauthenticated attacker can submit the public Contact Us form with a crafted email address containing malicious JavaScript. The Contact Us form does not properly sanitize or escape the email input before saving it to the database. The payload is stored permanently in the customer thread record. When a back-office employee later opens the affected customer thread, the malicious email address is rendered directly in two places of the customer thread template: the reply form (an HTML `
` element) and a hidden input field. Because the email value is inserted into the HTML output without any escaping, the JavaScript payload executes in the context of the employee’s browser. This enables the attacker to hijack the employee’s session, steal authentication cookies, and ultimately take full control of the PrestaShop back‑office. The root cause is the use of `{$thread->email}` in the Smarty template without the `escape` modifier, combined with loose email validation that accepts RFC‑compliant constructs capable of carrying XSS characters. The fix applies the `escape:’html’:’UTF-8’` modifier to the template and switches the email validation from `loose` mode to `strict` mode to reject malicious email addresses upfront.
dailycve form:
Platform: PrestaShop
Version: <8.2.6,9.0.0-9.1.0
Vulnerability : Stored XSS
Severity: Critical
date: May 8,2026
Prediction: Already patched 2026-05-08
What Undercode Say:
Check your PrestaShop version
php bin/console prestashop:version
Detect vulnerable template
grep -n '{$thread->email}' admin-dev/themes/default/template/controllers/customer_threads/helpers/view/view.tpl
Install official hotfix module
composer require prestashop/pshotfix_ghsaw9f3qc75qgx9:dev-main
Manual one‑liner to escape both occurrences (backup first)
sed -i 's/{$thread->email}/{$thread->email|escape:"html":"UTF-8"}/g' admin-dev/themes/default/template/controllers/customer_threads/helpers/view/view.tpl
Enable strict email validation
sed -i "s/'mode' => 'loose'/'mode' => 'strict'/" classes/Validate.php
Clear Smarty cache after patching
rm -rf var/cache/
Exploit:
Submit the public Contact Us form with an email address such as:
`”>@example.com`
Because the email is not escaped, the `”>
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent may adversely affect certain features and functions.
We do not sell your personal data. If you wish to exercise your rights under applicable privacy laws, please visit our Do Not Sell My Personal Information page.