GHSA-MQQ7-WXX5-MP8H: Unauthorized Method Invocation in PrestaShop Checkout
Vulnerability ID: GHSA-MQQ7-WXX5-MP8H
CVSS Score: 3.3
Published: 2026-04-30
The PrestaShop Checkout (ps_checkout) module prior to version 5.3.0 suffers from an improper input validation vulnerability (CWE-20). This defect allows an attacker to dynamically invoke unauthorized public methods within the application scope by manipulating HTTP request parameters. While categorized as a low-severity flaw due to limited exploitation vectors, it highlights critical risks in dynamic method routing.
TL;DR
PrestaShop Checkout module < 5.3.0 fails to properly validate parameters used for method invocation, allowing attackers to call arbitrary public methods. The vendor rates the impact as low.
Technical Details
- Vulnerability Type: Improper Input Validation (CWE-20)
- Attack Vector: Network
- Impact: Unauthorized Method Invocation
- CVSS Severity: Low (Estimated 3.3)
- Exploitation Status: None documented
- CISA KEV: Not Listed
Affected Systems
- PrestaShop e-commerce platform
- PrestaShop Checkout (ps_checkout) module
-
ps_checkout: < 5.3.0 (Fixed in:
5.3.0)
Mitigation Strategies
- Upgrade the ps_checkout module to version 5.3.0 or higher.
- Implement Web Application Firewall (WAF) rules to restrict allowed parameters for method routing.
- Audit custom codebases for dynamic method invocation patterns.
Remediation Steps:
- Navigate to the PrestaShop administrative backend.
- Access the Module Manager section.
- Search for the 'PrestaShop Checkout' (ps_checkout) module.
- Click 'Upgrade' to install version 5.3.0 or the latest available version.
- Verify the application routing works as expected by performing a test transaction.
References
- GitHub Advisory Database Record
- PrestaShop Checkout Repository Advisory
- PrestaShop Checkout Release v5.3.0
- External Security Analysis (LinkedIn)
Read the full report for GHSA-MQQ7-WXX5-MP8H on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)