CVE-2025-51586
published 2025-09-08CVE-2025-51586: An issue was discoverd in file controllers/admin/AdminLoginController.php in PrestaShop before 8.2.1 allowing attackers to gain sensitive information via the…
PriorityP423low3.7CVSS 3.1
AVNACHPRNUINSUCLINAN
EXPLOIT
EPSS
0.76%
50.5th percentile
An issue was discoverd in file controllers/admin/AdminLoginController.php in PrestaShop before 8.2.1 allowing attackers to gain sensitive information via the reset password feature.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| prestashop | prestashop | < 8.2.1 | 8.2.1 |
| prestashop | prestashop | >= 0 < 8.2.3 | 8.2.3 |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Presta Shop vulnerable to email enumeration
osv·2025-09-04
CVE-2025-51586 [MEDIUM] Presta Shop vulnerable to email enumeration
Presta Shop vulnerable to email enumeration
### Impact
An unauthenticated attacker with access to the back-office URL can manipulate the id_employee and reset_token parameters to enumerate valid back-office employee email addresses.
Impacted parties:
Store administrators and employees: their email addresses are exposed.
Merchants: risk of phishing, social engineering, and brute-force attacks targeting admin accounts.
### Patches
PrestaShop 8.2.3
### Workarounds
You must upgrade, or at least apply the changes from the PrestaShop 8.2.3 patch. More information: https://build.prestashop-project.org/news/2025/prestashop-8-2-3-security-release/
GHSA
Presta Shop vulnerable to email enumeration
ghsa·2025-09-04
CVE-2025-51586 [MEDIUM] CWE-203 Presta Shop vulnerable to email enumeration
Presta Shop vulnerable to email enumeration
### Impact
An unauthenticated attacker with access to the back-office URL can manipulate the id_employee and reset_token parameters to enumerate valid back-office employee email addresses.
Impacted parties:
Store administrators and employees: their email addresses are exposed.
Merchants: risk of phishing, social engineering, and brute-force attacks targeting admin accounts.
### Patches
PrestaShop 8.2.3
### Workarounds
You must upgrade, or at least apply the changes from the PrestaShop 8.2.3 patch. More information: https://build.prestashop-project.org/news/2025/prestashop-8-2-3-security-release/
No detection rules found.
Nuclei
PrestaShop - Information Disclosure
nuclei·CVSS 3.7
CVE-2025-51586 [LOW] PrestaShop - Information Disclosure
PrestaShop - Information Disclosure
User enumeration vulnerability in the AdminLogin controller in PrestaShop 1.7 through 8.2.2 allows remote attackers to obtain administrators user email addresses via manipulation of the id_employee and reset_token parameters. An attacker who has access to the Back Office login URL can trigger the password reset form to disclose the associated email address in a hidden field, even when the provided reset token is invalid. This issue has been fixed in 8.2.3.
Template:
id: CVE-2025-51586
info:
name: PrestaShop - Information Disclosure
author: mastercho
severity: medium
description: |
User enumeration vulnerability in the AdminLogin controller in PrestaShop 1.7 through 8.2.2 allows remote attackers to obtain administrators user email addresses via manipu
No writeups or analysis indexed.
2025-09-08
Published