CVE-2025-51586: 
PHP vulnerability analysis and mitigation

CVE-2025-51586 is a security vulnerability discovered in PrestaShop's back office password reset feature. The vulnerability was disclosed on September 4, 2025, affecting PrestaShop versions below 8.2.3. This moderate severity flaw allows unauthenticated attackers to enumerate valid back-office employee email addresses through manipulation of the idemployee and resettoken parameters (PrestaShop Advisory).

The vulnerability exists within the selectEventConfig method of PrestaShop's back office authentication system. The issue stems from improper validation of user-supplied strings before using them to construct queries. The vulnerability has been assigned a CVSS v3.1 base score of 4.2 (Moderate) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N. The flaw is classified as CWE-203 (Observable Discrepancy), where the system behaves differently under various circumstances in a way that is observable to unauthorized actors (GitHub Advisory).

The vulnerability impacts store administrators and employees by exposing their email addresses to potential attackers. This exposure creates risks for merchants, including potential phishing attacks, social engineering attempts, and brute-force attacks targeting admin accounts. The exploitation requires the attacker to have access to the back-office URL (PrestaShop Release).

The primary mitigation is to update to PrestaShop version 8.2.3, which contains the security fix. For those unable to update immediately, several temporary workarounds are available: restricting network access to the back office, adding extra HTTP authentication, customizing the back-office URL, implementing rate limiting, monitoring logs for suspicious activities, and enabling 2FA for employee accounts. However, these workarounds should not be considered permanent solutions (PrestaShop Advisory).

The vulnerability was responsibly reported by Maxime Morel-Bailly, with fixes implemented by M0rgan01 and matthieu-rolland. OpenServis and TouchWeb played a crucial role in alerting about ongoing waves of enumeration attempts in the wild (PrestaShop Release).