A critical stored XSS vulnerability in the PrestaShop back-office allows unauthenticated attackers to hijack administrative sessions and gain full control over the application.

The vulnerability exists in the Customer Service view of the back-office. An unauthenticated attacker can submit a malicious payload via the public Contact Us form, which is then stored and executed when an administrator views the ticket.

This flaw facilitates a full back-office takeover, granting the attacker total control over the e-commerce environment. Given the CVSS score of 9.3, this represents a severe threat to the integrity of the store, allowing for unauthorized modifications to product listings, customer data theft, and potential malware distribution.

Immediate Action: Apply the security update to PrestaShop version 8.2.6 or 9.1.1 immediately.

Proactive Monitoring: Audit back-office customer service threads for suspicious email addresses or script tags.

Compensating Controls: Utilize a WAF to inspect incoming form submissions for malicious JavaScript payloads.

Public Exploit Available: Unknown

Administrative takeover vulnerabilities are high-priority targets. It is essential to update the PrestaShop environment to the latest patched version to prevent unauthorized access and maintain the security of your e-commerce operations.