CVE-2025-61924

LOW3.8EPSS 0.04%

PrestaShop Checkout Target PayPal merchant account hijacking from backoffice

Published: 10/16/2025Modified: 10/16/2025

Description

### Impact Wrong usage of the PHP `array_search()` allows bypass of validation. ### Patches The problem has been patched in versions: - v4.4.1 for PrestaShop 1.7 (build number: 7.4.4.1) - v4.4.1 for PrestaShop 8 (build number: 8.4.4.1) - v5.0.5 for PrestaShop 1.7 (build number: 7.5.0.5) - v5.0.5 for PrestaShop 8 (build number: 8.5.0.5) - v5.0.5 for PrestaShop 9 (build number: 9.5.0.5) Read the [Versioning policy](https://github.com/PrestaShopCorp/ps_checkout/wiki/Versioning) to learn more about the build number. ### Credits [Léo CUNÉAZ](https://github.com/inem0o) reported this issue.

Affected packages (1)

Packagist/prestashop/ps_checkoutfrom 0, < 4.4.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.8	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-61924
PATCHhttps://github.com/PrestaShopCorp/ps_checkout
WEBhttps://github.com/PrestaShopCorp/ps_checkout/security/advisories/GHSA-wvpg-4wrh-5889