CVE-2025-24027: 
PHP vulnerability analysis and mitigation

CVE-2025-24027 affects ps_contactinfo, a PrestaShop module for displaying store contact information, in versions up to and including 3.3.2. The vulnerability was discovered and disclosed on January 22, 2025. The affected component is specifically the store contact information display functionality within PrestaShop installations (CVE Details).

The vulnerability is classified as a cross-site scripting (XSS) issue that specifically affects the formatting of store addresses. The vulnerability cannot be exploited in fresh PrestaShop installations but becomes exploitable when third-party modules with SQL injection vulnerabilities are present. In such cases, pscontactinfo may execute stored cross-site scripting in formatting objects ([GitHub Advisory](https://github.com/PrestaShop/pscontactinfo/security/advisories/GHSA-35pq-7pv2-2rfw)). The vulnerability has been assigned a CVSS score of 6.2, indicating moderate severity (CISA Bulletin).

When exploited, this vulnerability could allow attackers to execute stored cross-site scripting attacks through the address formatting functionality. The impact is particularly significant when combined with other vulnerabilities in third-party modules, as it could lead to the execution of malicious scripts in the context of user sessions (GitHub Advisory).

A fix has been implemented in commit d60f9a5634b4fc2d3a8831fb08fe2e1f23cbfa39, which prevents formatted addresses from displaying XSS stored in the database. The patch is available in version 3.3.3. No workarounds are available aside from applying the fix and ensuring all modules are maintained and updated (CVE Details).