CVE-2025-51586

Impact

An unauthenticated attacker with access to the back-office URL can manipulate the id_employee and reset_token parameters to enumerate valid back-office employee email addresses.

Impacted parties: Store administrators and employees: their email addresses are exposed. Merchants: risk of phishing, social engineering, and brute-force attacks targeting admin accounts.

Patches

PrestaShop 8.2.3

Workarounds

You must upgrade, or at least apply the changes from the PrestaShop 8.2.3 patch. More information: https://build.prestashop-project.org/news/2025/prestashop-8-2-3-security-release/

Published: Sep 4, 2025
Updated: Sep 5, 2025
CVE: CVE-2025-51586
GHSA: GHSA-8xx5-h6m3-jr33
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

CWEs:

CWE-203

Affected Software
References

Software	From	Fixed in
prestashop / prestashop	-	8.2.3

https://build.prestashop-project.org/news/2025/prestashop-8-2-3-security-release
https://github.com/PrestaShop/PrestaShop/commit/c97bdf10f77fedbe5a61a1dec5f96b3abb1d76fb
https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.3
https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-8xx5-h6m3-jr33

Vulnerability Database

CVE-2025-51586

Impact

Patches

Workarounds