A critical vulnerability exists in the official PrestaShop Checkout module that allows an attacker to silently log into user accounts without credentials. This flaw, caused by missing validation in the Express Checkout feature, could lead to unauthorized access to customer data, fraudulent transactions, and significant reputational damage. Organizations using affected versions of the module are at high risk of account takeover and should apply the provided security updates immediately.

The vulnerability is an authentication bypass due to improper validation within the Express Checkout functionality. An unauthenticated attacker can manipulate the data sent during the checkout process to create a valid session and gain unauthorized access to an existing user's account. This "silent login" occurs without requiring a username or password, meaning the legitimate account owner would not be prompted for credentials or notified of the malicious session, allowing the attacker to impersonate the user, access their personal information, and potentially make purchases on their behalf.

This vulnerability is of critical severity with a CVSS score of 9.1, posing a direct and severe threat to business operations and customer trust. Successful exploitation can lead to widespread customer account takeovers, resulting in the theft of personally identifiable information (PII), payment details, and order history. The business could face significant financial losses from fraudulent transactions, regulatory fines for data breaches (e.g., GDPR), and severe reputational harm that erodes customer confidence and loyalty.

Immediate Action: Immediately update the PrestaShop Checkout module to a patched version (4.4.1, 5.0.5, or newer) to eliminate the vulnerability. After patching, it is crucial to review access logs and account activity for any signs of compromise that may have occurred prior to the update, paying close attention to unusual login events or account modifications.

Proactive Monitoring: Implement enhanced monitoring of web server and application logs for unusual patterns related to the checkout process. Specifically, look for multiple login sessions originating from a single IP address targeting different accounts, unexpected successful logins that do not correspond with known user activity, and any direct access attempts to account pages that bypass the standard login workflow.

Compensating Controls: If immediate patching is not feasible, consider temporarily disabling the Express Checkout feature until the update can be applied. Additionally, deploy a Web Application Firewall (WAF) with rules specifically designed to inspect and block malformed requests targeting the checkout and authentication endpoints. Enforcing multi-factor authentication (MFA) across all customer accounts can also add a critical layer of security against unauthorized access.

Public Exploit Available: false

Given the critical severity (CVSS 9.1) of this vulnerability, immediate action is required. We strongly recommend that all organizations using the PrestaShop Checkout module apply the necessary security updates without delay. Although this CVE is not currently listed on the CISA KEV list, its potential for widespread impact makes it a prime candidate for future inclusion. Organizations should prioritize this patch and conduct a thorough review of their systems for any evidence of past compromise related to this flaw.