Ddos 
PrestaShop, the global open-source e-commerce powerhouse known for its highly customizable PHP architecture and responsive design, has issued an urgent security update. Used by merchants worldwide to manage everything from localized shopping carts to major payment integrations, the platform is now racing to patch a critical vulnerability that could hand over the keys of any online store to unauthenticated attackers.
The flaw, officially tracked as CVE-2026-44212, carries a CVSS score of 9.3. It is a textbook example of a Stored Cross-Site Scripting (XSS) attack that weaponizes a feature every merchant relies on: the “Contact Us” form.
At the heart of the issue is CWE-79, a failure to properly sanitize user-supplied data before it is stored and later displayed to an administrator.
In this specific exploit chain, an attacker doesn’t even need an account to strike. By simply visiting a store’s public “Contact Us” page, a malicious actor can submit the form while embedding a script-heavy payload directly into the email address field.
The danger lies in what happens next:
- The malicious payload is accepted by the public-facing form and silently saved in the merchant’s database.
- The payload remains dormant until a back-office employeeβtypically a customer service representative or store managerβopens the affected customer thread in the admin panel.
- Once the thread is viewed, the script executes in the context of the employee’s browser session. This allows the attacker to hijack the active session and achieve a full back-office takeover.
From this point, the attacker has the same privileges as the merchant, allowing them to modify products, steal customer data, or redirect payment flows.
Because this is a stored vulnerability, the risk remains active as long as the malicious thread exists in the database on an unpatched version of the software. Security teams and e-commerce administrators are urged to update their installations immediately to close this vector.
PrestaShop has released coordinated patches to address the flaw in its latest supported branches:
Ensure your platform is up to date, and consider implementing additional backend security headers to mitigate the impact of any future XSS attempts.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
