{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/ps_facetedsearch-3.0.0-through-4.0.3/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ps_facetedsearch (3.0.0 through 4.0.3)"],"_cs_severities":["critical"],"_cs_tags":["php-object-injection","rce","webshell","prestashop","cve","web-exploitation"],"_cs_type":"advisory","_cs_vendors":["PrestaShop"],"content_html":"\u003cp\u003eA critical unauthenticated PHP Object Injection vulnerability (CVE-2026-54159) has been identified in the PrestaShop \u003ccode\u003eps_facetedsearch\u003c/code\u003e module, affecting all versions from 3.0.0 up to and including 4.0.3. This vulnerability allows remote attackers to achieve full compromise of PrestaShop installations without authentication. The flaw arises from insufficient validation of slider filter values (such as price or weight) taken directly from the request URL. Attackers can inject a specially crafted serialized PHP object into these parameters, which is then stored in an internal cache. When the application later attempts to \u003ccode\u003eunserialize()\u003c/code\u003e this malicious object, it triggers a gadget chain that writes an arbitrary PHP file - effectively a webshell - into the module's directory. This webshell can then be used to execute arbitrary commands on the underlying server, leading to complete control over the shop and its hosting environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious serialized PHP object embedded within a slider filter (e.g., price or weight) value in a URL parameter.\u003c/li\u003e\n\u003cli\u003eThe crafted URL is submitted via an unauthenticated GET request to the PrestaShop front-office, targeting the \u003ccode\u003eps_facetedsearch\u003c/code\u003e module.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eps_facetedsearch\u003c/code\u003e module processes the URL parameter, accepting the value without proper validation, and stores the malicious input in its internal filter-block cache.\u003c/li\u003e\n\u003cli\u003eAt a later point, the application retrieves the cached value and performs a raw native \u003ccode\u003eunserialize()\u003c/code\u003e operation on the malicious PHP object.\u003c/li\u003e\n\u003cli\u003eThis deserialization process triggers a pre-existing PHP gadget chain within the application's environment.\u003c/li\u003e\n\u003cli\u003eThe activated gadget chain exploits its capabilities to write an arbitrary PHP file, serving as a webshell, into the \u003ccode\u003emodules/ps_facetedsearch/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe attacker subsequently accesses the newly created webshell via HTTP requests, allowing for arbitrary command execution on the compromised server.\u003c/li\u003e\n\u003cli\u003eThis leads to unauthenticated Remote Code Execution (RCE) and full compromise of the PrestaShop instance and its host server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-54159 results in unauthenticated Remote Code Execution (RCE) and a complete compromise of the affected PrestaShop shop and its hosting server. Any PrestaShop installation utilizing a vulnerable version of the \u003ccode\u003eps_facetedsearch\u003c/code\u003e module (3.0.0 through 4.0.3) that exposes a filter template containing a slider filter (price or weight) is at risk. Attackers can gain full control, leading to data theft, website defacement, server-side malware deployment, and other malicious activities. The unauthenticated nature of the vulnerability means that no prior access or credentials are required, significantly broadening the attack surface.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003eps_facetedsearch\u003c/code\u003e module to version 4.0.4 or higher immediately to remove the vulnerability.\u003c/li\u003e\n\u003cli\u003eAs an interim measure, remove price and weight slider filters from any filter templates exposed on the front office.\u003c/li\u003e\n\u003cli\u003eClear the faceted-search filter cache and audit the \u003ccode\u003emodules/ps_facetedsearch/\u003c/code\u003e directory for any unexpected or newly created PHP files.\u003c/li\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eDetects CVE-2026-54159 Exploitation Attempt - PHP Object Injection Patterns\u003c/code\u003e Sigma rule to your WAF or SIEM and configure it to block requests matching the specified PHP serialization patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-10T20:37:39Z","date_published":"2026-07-10T20:37:39Z","id":"https://feed.craftedsignal.io/briefs/2026-07-prestashop-rce/","summary":"An unauthenticated PHP Object Injection vulnerability, tracked as CVE-2026-54159, affects the PrestaShop ps_facetedsearch module versions 3.0.0 through 4.0.3, allowing attackers to craft malicious serialized PHP objects in URL parameters that, upon deserialization, result in arbitrary file writes and remote code execution on the server.","title":"Unauthenticated PHP Object Injection in PrestaShop ps_facetedsearch Leads to RCE","url":"https://feed.craftedsignal.io/briefs/2026-07-prestashop-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Ps_facetedsearch (3.0.0 Through 4.0.3)","version":"https://jsonfeed.org/version/1.1"}