Skip to content
Threat Feed
critical advisory

Unauthenticated PHP Object Injection in PrestaShop ps_facetedsearch Leads to RCE

An unauthenticated PHP Object Injection vulnerability, tracked as CVE-2026-54159, affects the PrestaShop ps_facetedsearch module versions 3.0.0 through 4.0.3, allowing attackers to craft malicious serialized PHP objects in URL parameters that, upon deserialization, result in arbitrary file writes and remote code execution on the server.

A critical unauthenticated PHP Object Injection vulnerability (CVE-2026-54159) has been identified in the PrestaShop ps_facetedsearch module, affecting all versions from 3.0.0 up to and including 4.0.3. This vulnerability allows remote attackers to achieve full compromise of PrestaShop installations without authentication. The flaw arises from insufficient validation of slider filter values (such as price or weight) taken directly from the request URL. Attackers can inject a specially crafted serialized PHP object into these parameters, which is then stored in an internal cache. When the application later attempts to unserialize() this malicious object, it triggers a gadget chain that writes an arbitrary PHP file - effectively a webshell - into the module's directory. This webshell can then be used to execute arbitrary commands on the underlying server, leading to complete control over the shop and its hosting environment.

Attack Chain

  1. An attacker crafts a malicious serialized PHP object embedded within a slider filter (e.g., price or weight) value in a URL parameter.
  2. The crafted URL is submitted via an unauthenticated GET request to the PrestaShop front-office, targeting the ps_facetedsearch module.
  3. The ps_facetedsearch module processes the URL parameter, accepting the value without proper validation, and stores the malicious input in its internal filter-block cache.
  4. At a later point, the application retrieves the cached value and performs a raw native unserialize() operation on the malicious PHP object.
  5. This deserialization process triggers a pre-existing PHP gadget chain within the application's environment.
  6. The activated gadget chain exploits its capabilities to write an arbitrary PHP file, serving as a webshell, into the modules/ps_facetedsearch/ directory.
  7. The attacker subsequently accesses the newly created webshell via HTTP requests, allowing for arbitrary command execution on the compromised server.
  8. This leads to unauthenticated Remote Code Execution (RCE) and full compromise of the PrestaShop instance and its host server.

Impact

The successful exploitation of CVE-2026-54159 results in unauthenticated Remote Code Execution (RCE) and a complete compromise of the affected PrestaShop shop and its hosting server. Any PrestaShop installation utilizing a vulnerable version of the ps_facetedsearch module (3.0.0 through 4.0.3) that exposes a filter template containing a slider filter (price or weight) is at risk. Attackers can gain full control, leading to data theft, website defacement, server-side malware deployment, and other malicious activities. The unauthenticated nature of the vulnerability means that no prior access or credentials are required, significantly broadening the attack surface.

Recommendation

  • Upgrade the ps_facetedsearch module to version 4.0.4 or higher immediately to remove the vulnerability.
  • As an interim measure, remove price and weight slider filters from any filter templates exposed on the front office.
  • Clear the faceted-search filter cache and audit the modules/ps_facetedsearch/ directory for any unexpected or newly created PHP files.
  • Deploy the Detects CVE-2026-54159 Exploitation Attempt - PHP Object Injection Patterns Sigma rule to your WAF or SIEM and configure it to block requests matching the specified PHP serialization patterns.

Detection coverage 1

Detects CVE-2026-54159 Exploitation Attempt - PHP Object Injection Patterns

high

Detects CVE-2026-54159 exploitation - HTTP requests to PrestaShop's ps_facetedsearch module containing suspicious PHP object serialization patterns in URL query parameters, indicating a PHP Object Injection attempt.

sigma tactics: initial_access techniques: T1190 sources: webserver

Detection queries are available on the platform. Get full rules →