CVE-2025-51586: 
PHP vulnerability analysis and mitigation

A user enumeration vulnerability (CVE-2025-51586) was discovered in PrestaShop's AdminLogin controller affecting versions 1.7 through 8.2.2. The vulnerability was disclosed on September 4, 2025, and allows remote attackers to obtain administrator email addresses by manipulating the id_employee and reset_token parameters in the password reset feature. The issue affects the file controllers/admin/AdminLoginController.php and has been fixed in version 8.2.3 (PrestaShop Advisory, NVD).

The vulnerability stems from a logic flaw in the password reset functionality where the application would expose employee email addresses in a hidden field without properly validating the reset token. The issue has a CVSS v3.1 base score of 3.7 (Low) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified as CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor) and requires network access but no authentication or user interaction to exploit (Miggo, PrestaShop Advisory).

An unauthenticated attacker with access to the back-office URL can enumerate valid back-office employee email addresses by manipulating the id_employee and reset_token parameters. This exposure of administrator email addresses could lead to targeted phishing attacks, social engineering attempts, and potential brute-force attacks against admin accounts (Miggo).

The vulnerability has been patched in PrestaShop version 8.2.3. Additional recommendations include enforcing rate limiting on the password reset endpoint, installing a security module that enables 2FA for BackOffice login, keeping the Back Office URL secret and rotating it if leaked, and keeping PrestaShop up to date (PrestaShop Advisory).