Unauthenticated PHP Object Injection in PrestaShop ps_facetedsearch Leads to RCE
An unauthenticated PHP Object Injection vulnerability, tracked as CVE-2026-54159, affects the PrestaShop ps_facetedsearch module versions 3.0.0 through 4.0.3, allowing attackers to craft malicious serialized PHP objects in URL parameters that, upon deserialization, result in arbitrary file writes and remote code execution on the server.
A critical unauthenticated PHP Object Injection vulnerability (CVE-2026-54159) has been identified in the PrestaShop ps_facetedsearch module, affecting all versions from 3.0.0 up to and including 4.0.3. This vulnerability allows remote attackers to achieve full compromise of PrestaShop installations without authentication. The flaw arises from insufficient validation of slider filter values (such as price or weight) taken directly from the request URL. Attackers can inject a specially crafted serialized PHP object into these parameters, which is then stored in an internal cache. When the application later attempts to unserialize() this malicious object, it triggers a gadget chain that writes an arbitrary PHP file - effectively a webshell - into the module's directory. This webshell can then be used to execute arbitrary commands on the underlying server, leading to complete control over the shop and its hosting environment.
Attack Chain
- An attacker crafts a malicious serialized PHP object embedded within a slider filter (e.g., price or weight) value in a URL parameter.
- The crafted URL is submitted via an unauthenticated GET request to the PrestaShop front-office, targeting the
ps_facetedsearchmodule. - The
ps_facetedsearchmodule processes the URL parameter, accepting the value without proper validation, and stores the malicious input in its internal filter-block cache. - At a later point, the application retrieves the cached value and performs a raw native
unserialize()operation on the malicious PHP object. - This deserialization process triggers a pre-existing PHP gadget chain within the application's environment.
- The activated gadget chain exploits its capabilities to write an arbitrary PHP file, serving as a webshell, into the
modules/ps_facetedsearch/directory. - The attacker subsequently accesses the newly created webshell via HTTP requests, allowing for arbitrary command execution on the compromised server.
- This leads to unauthenticated Remote Code Execution (RCE) and full compromise of the PrestaShop instance and its host server.
Impact
The successful exploitation of CVE-2026-54159 results in unauthenticated Remote Code Execution (RCE) and a complete compromise of the affected PrestaShop shop and its hosting server. Any PrestaShop installation utilizing a vulnerable version of the ps_facetedsearch module (3.0.0 through 4.0.3) that exposes a filter template containing a slider filter (price or weight) is at risk. Attackers can gain full control, leading to data theft, website defacement, server-side malware deployment, and other malicious activities. The unauthenticated nature of the vulnerability means that no prior access or credentials are required, significantly broadening the attack surface.
Recommendation
- Upgrade the
ps_facetedsearchmodule to version 4.0.4 or higher immediately to remove the vulnerability. - As an interim measure, remove price and weight slider filters from any filter templates exposed on the front office.
- Clear the faceted-search filter cache and audit the
modules/ps_facetedsearch/directory for any unexpected or newly created PHP files. - Deploy the
Detects CVE-2026-54159 Exploitation Attempt - PHP Object Injection PatternsSigma rule to your WAF or SIEM and configure it to block requests matching the specified PHP serialization patterns.
Detection coverage 1
Detects CVE-2026-54159 Exploitation Attempt - PHP Object Injection Patterns
highDetects CVE-2026-54159 exploitation - HTTP requests to PrestaShop's ps_facetedsearch module containing suspicious PHP object serialization patterns in URL query parameters, indicating a PHP Object Injection attempt.
Detection queries are available on the platform. Get full rules →