<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Ps_facetedsearch (3.0.0 Through 4.0.3) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/ps_facetedsearch-3.0.0-through-4.0.3/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 10 Jul 2026 20:37:39 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/ps_facetedsearch-3.0.0-through-4.0.3/feed.xml" rel="self" type="application/rss+xml"/><item><title>Unauthenticated PHP Object Injection in PrestaShop ps_facetedsearch Leads to RCE</title><link>https://feed.craftedsignal.io/briefs/2026-07-prestashop-rce/</link><pubDate>Fri, 10 Jul 2026 20:37:39 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-prestashop-rce/</guid><description>An unauthenticated PHP Object Injection vulnerability, tracked as CVE-2026-54159, affects the PrestaShop ps_facetedsearch module versions 3.0.0 through 4.0.3, allowing attackers to craft malicious serialized PHP objects in URL parameters that, upon deserialization, result in arbitrary file writes and remote code execution on the server.</description><content:encoded><![CDATA[<p>A critical unauthenticated PHP Object Injection vulnerability (CVE-2026-54159) has been identified in the PrestaShop <code>ps_facetedsearch</code> module, affecting all versions from 3.0.0 up to and including 4.0.3. This vulnerability allows remote attackers to achieve full compromise of PrestaShop installations without authentication. The flaw arises from insufficient validation of slider filter values (such as price or weight) taken directly from the request URL. Attackers can inject a specially crafted serialized PHP object into these parameters, which is then stored in an internal cache. When the application later attempts to <code>unserialize()</code> this malicious object, it triggers a gadget chain that writes an arbitrary PHP file - effectively a webshell - into the module's directory. This webshell can then be used to execute arbitrary commands on the underlying server, leading to complete control over the shop and its hosting environment.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a malicious serialized PHP object embedded within a slider filter (e.g., price or weight) value in a URL parameter.</li>
<li>The crafted URL is submitted via an unauthenticated GET request to the PrestaShop front-office, targeting the <code>ps_facetedsearch</code> module.</li>
<li>The <code>ps_facetedsearch</code> module processes the URL parameter, accepting the value without proper validation, and stores the malicious input in its internal filter-block cache.</li>
<li>At a later point, the application retrieves the cached value and performs a raw native <code>unserialize()</code> operation on the malicious PHP object.</li>
<li>This deserialization process triggers a pre-existing PHP gadget chain within the application's environment.</li>
<li>The activated gadget chain exploits its capabilities to write an arbitrary PHP file, serving as a webshell, into the <code>modules/ps_facetedsearch/</code> directory.</li>
<li>The attacker subsequently accesses the newly created webshell via HTTP requests, allowing for arbitrary command execution on the compromised server.</li>
<li>This leads to unauthenticated Remote Code Execution (RCE) and full compromise of the PrestaShop instance and its host server.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-54159 results in unauthenticated Remote Code Execution (RCE) and a complete compromise of the affected PrestaShop shop and its hosting server. Any PrestaShop installation utilizing a vulnerable version of the <code>ps_facetedsearch</code> module (3.0.0 through 4.0.3) that exposes a filter template containing a slider filter (price or weight) is at risk. Attackers can gain full control, leading to data theft, website defacement, server-side malware deployment, and other malicious activities. The unauthenticated nature of the vulnerability means that no prior access or credentials are required, significantly broadening the attack surface.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade the <code>ps_facetedsearch</code> module to version 4.0.4 or higher immediately to remove the vulnerability.</li>
<li>As an interim measure, remove price and weight slider filters from any filter templates exposed on the front office.</li>
<li>Clear the faceted-search filter cache and audit the <code>modules/ps_facetedsearch/</code> directory for any unexpected or newly created PHP files.</li>
<li>Deploy the <code>Detects CVE-2026-54159 Exploitation Attempt - PHP Object Injection Patterns</code> Sigma rule to your WAF or SIEM and configure it to block requests matching the specified PHP serialization patterns.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>php-object-injection</category><category>rce</category><category>webshell</category><category>prestashop</category><category>cve</category><category>web-exploitation</category></item></channel></rss>