CVE-2025-61924: 
PHP vulnerability analysis and mitigation

PrestaShop Checkout, the official payment module in partnership with PayPal, was found to contain a security vulnerability in versions prior to 4.4.1 and 5.0.5. The vulnerability involves a Target PayPal merchant account hijacking possibility from the backoffice due to incorrect implementation of the PHP array_search() function (GitHub Advisory).

The vulnerability stems from the wrong usage of PHP's array_search() function, which could lead to validation bypass. The issue received a CVSS v3.1 base score of 3.8 (Low) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N. The vulnerability is classified under CWE-184 (Incomplete List of Disallowed Inputs) (NVD, Miggo).

The vulnerability allows for bypass of validation mechanisms, potentially enabling an attacker to modify blacklisted configuration values. This could lead to the hijacking of a PayPal merchant account from the backoffice (GitHub Advisory).

The vulnerability has been patched in versions 4.4.1 and 5.0.5. Specific patched versions include: v4.4.1 for PrestaShop 1.7 (build number: 7.4.4.1), v4.4.1 for PrestaShop 8 (build number: 8.4.4.1), v5.0.5 for PrestaShop 1.7 (build number: 7.5.0.5), v5.0.5 for PrestaShop 8 (build number: 8.5.0.5), and v5.0.5 for PrestaShop 9 (build number: 9.5.0.5). No known workarounds exist for unpatched versions (GitHub Advisory).