{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/prestashop/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PrestaShop (\u003c 8.2.6)","PrestaShop (\u003e= 9.0.0, \u003c 9.1.1)"],"_cs_severities":["critical"],"_cs_tags":["prestashop","xss","stored-xss","cve-2026-44212"],"_cs_type":"advisory","_cs_vendors":["PrestaShop"],"content_html":"\u003cp\u003eA critical stored cross-site scripting (XSS) vulnerability, identified as CVE-2026-44212, affects the Customer Service view of PrestaShop versions prior to 8.2.6 and between 9.0.0 and 9.1.1. This flaw allows an unauthenticated attacker to inject malicious JavaScript code into the system by submitting a crafted email address through the public Contact Us form. The injected payload is then stored within the PrestaShop database. When a back-office employee accesses the affected customer thread through the back-office interface, the stored XSS payload is executed, potentially leading to session hijacking and complete compromise of the PrestaShop back-office environment. This vulnerability was reported by Savio at Doyensec in collaboration with Anthropic Research.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious email address containing an XSS payload.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the crafted email address through the public Contact Us form on the PrestaShop website.\u003c/li\u003e\n\u003cli\u003eThe PrestaShop application stores the attacker-supplied email address and the associated XSS payload in the database, specifically within the customer service messaging system.\u003c/li\u003e\n\u003cli\u003eA back-office employee accesses the customer service section of the PrestaShop administration panel.\u003c/li\u003e\n\u003cli\u003eThe employee opens the customer thread associated with the malicious email address.\u003c/li\u003e\n\u003cli\u003eThe PrestaShop application retrieves the stored email address from the database and renders it in the back-office interface.\u003c/li\u003e\n\u003cli\u003eThe stored XSS payload within the email address is executed by the employee\u0026rsquo;s web browser, due to the lack of proper sanitization and output encoding.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the employee\u0026rsquo;s session, potentially allowing them to perform administrative actions, access sensitive data, or further compromise the PrestaShop installation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this stored XSS vulnerability allows an attacker to hijack the session of a PrestaShop back-office employee. This can lead to full control over the PrestaShop installation, including access to sensitive customer data, modification of store settings, installation of malicious modules, and ultimately, complete compromise of the e-commerce platform. Given the critical nature of the back-office, this poses a significant risk to the confidentiality, integrity, and availability of the PrestaShop store. Patches have been released in PrestaShop versions 8.2.6 and 9.1.1 to address this issue.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade PrestaShop installations to version 8.2.6 or 9.1.1 or later to remediate CVE-2026-44212.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect PrestaShop Stored XSS via Contact Form\u0026rdquo; to identify attempts to inject malicious code via the contact form.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the \u0026ldquo;Detect PrestaShop Stored XSS via Contact Form\u0026rdquo; Sigma rule, focusing on unusual characters in email addresses submitted via the contact form.\u003c/li\u003e\n\u003cli\u003eImplement robust input validation and output encoding mechanisms within the PrestaShop application to prevent XSS vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-09T12:00:00Z","date_published":"2026-05-09T12:00:00Z","id":"/briefs/2026-05-prestashop-xss/","summary":"A stored cross-site scripting (XSS) vulnerability exists in PrestaShop's back-office customer service view, where an unauthenticated attacker can submit a malicious email address via the Contact Us form, leading to session hijacking and full back-office takeover when an employee opens the affected customer thread; patched in PrestaShop 8.2.6 and 9.1.1.","title":"PrestaShop Stored XSS in Customer Service View Allows Back-Office Takeover","url":"https://feed.craftedsignal.io/briefs/2026-05-prestashop-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — PrestaShop","version":"https://jsonfeed.org/version/1.1"}