PrestaShop Stored XSS Vulnerability via Unprotected Template Variables
Multiple stored XSS vulnerabilities exist in PrestaShop, where an attacker with database access can exploit unprotected variables in back-office templates to execute malicious scripts in a user's browser.
Multiple stored Cross-Site Scripting (XSS) vulnerabilities have been identified in PrestaShop versions prior to 8.2.5 and in versions 9.0.0-alpha.1 to 9.1.0. These vulnerabilities allow an attacker who has the ability to inject data into the database, either through limited back-office access or by exploiting a pre-existing vulnerability, to execute arbitrary JavaScript code in the context of a back-office user's browser. This is achieved by exploiting unprotected variables in back-office templates. Successful exploitation could lead to account takeover, data theft, or further compromise of the PrestaShop installation. The vulnerability is identified as CVE-2026-33673. Patches are available in versions 8.2.5 and 9.1.0.
Attack Chain
- Initial Compromise: The attacker gains unauthorized access to the PrestaShop back office, either through brute-force attacks, credential stuffing, or exploitation of other vulnerabilities (e.g., SQL injection, authentication bypass).
- Database Injection: The attacker injects malicious JavaScript code into a database field that is later rendered in a back-office template. This can be achieved by manipulating input fields or directly modifying database records if sufficient privileges are obtained.
- Template Rendering: A back-office user accesses a page that renders the template containing the injected malicious code.
- XSS Execution: The injected JavaScript code executes within the user's browser session due to the lack of proper output escaping or sanitization in the template.
- Session Hijacking/Account Takeover: The attacker's JavaScript code steals the user's session cookies or other authentication tokens.
- Privilege Escalation: Using the stolen session, the attacker gains access to the back-office user's account, potentially with administrative privileges.
- Further Exploitation: The attacker uses the compromised account to modify store settings, install malicious modules, steal sensitive data (customer information, financial data), or deface the website.
- Persistence: The attacker establishes persistent access by creating rogue administrator accounts or installing backdoors within the PrestaShop system.
Impact
Successful exploitation of these XSS vulnerabilities can have severe consequences for PrestaShop store owners and their customers. An attacker can gain full control of the store's back office, leading to unauthorized access to sensitive data, including customer information and financial details. This can result in financial losses, reputational damage, and legal liabilities for the store owner. While specific victim counts are unavailable, the widespread use of PrestaShop makes this a potentially high-impact vulnerability.
Recommendation
- Upgrade PrestaShop installations to version 8.2.5 or 9.1.0 to patch CVE-2026-33673.
- Implement strict input validation and output encoding on all user-supplied data to prevent XSS attacks.
- Monitor web server logs for suspicious activity, such as unusual requests to back-office pages or attempts to inject malicious code into database fields (see example Sigma rule).
- Enforce strong password policies and multi-factor authentication for all back-office user accounts.
- Regularly audit PrestaShop installations for security vulnerabilities and apply security patches promptly.
Detection coverage 3
Detect Potential XSS Attempts in PrestaShop Backoffice via URI
highDetects potential XSS attempts in PrestaShop backoffice based on suspicious URI patterns
Detect Suspicious HTTP Referer to PrestaShop Admin Panel
mediumDetects access to PrestaShop admin panel from an external domain, which may indicate an attempt to exploit vulnerabilities from a malicious origin.
Detect Modification of PrestaShop Configuration Files
highDetects modification of PrestaShop configuration files, which may indicate unauthorized access or an attempt to inject malicious code.
Detection queries are available on the platform. Get full rules →