CVE-2026-54159 in ps_facetedsearchinfo

Summary

by MITRE • 07/17/2026

PrestaShop ps_facetedsearch is a module that adds layered navigation filters. From 3.0.0 until 4.0.4, the ps_facetedsearch module rebuilds selected search filters from the request URL, and the value of a slider filter, price or weight, is taken from the URL without sufficient validation and stored in an internal filter-block cache where it is serialized and later read back with a raw native unserialize() in src/Filters/Block.php. By crafting that value, an unauthenticated attacker can smuggle a malicious serialized PHP object into the cache, and when it is deserialized, a gadget chain writes an arbitrary PHP file inside the modules/ps_facetedsearch/ directory, which is then used as a webshell to run commands on the server. This issue is fixed in version 4.0.4.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/17/2026

The vulnerability in PrestaShop's ps_facetedsearch module represents a critical server-side deserialization flaw that enables remote code execution through crafted URL parameters. This security issue affects versions from 3.0.0 through 4.0.4, where the module processes user-provided input without adequate sanitization mechanisms. The core problem lies in how the module handles slider filter values, specifically price and weight parameters, which are extracted directly from the HTTP request URL and subsequently stored in an internal filter-block cache.

The technical implementation of this vulnerability follows a classic deserialization attack pattern where untrusted data flows through multiple processing stages before reaching the dangerous unserialize() function. When users interact with layered navigation filters, the module reconstructs selected search parameters from URL query strings without proper validation or sanitization. These raw values are then serialized and cached within the module's directory structure, creating a persistent storage point for malicious payloads.

The operational impact of this vulnerability is severe as it allows unauthenticated attackers to execute arbitrary PHP code on the target server with the privileges of the web application. The attack chain begins with crafting malicious URL parameters containing serialized PHP objects that exploit known gadget chains within the PHP ecosystem. When these malicious objects are deserialized through the vulnerable native unserialize() function in src/Filters/Block.php, they trigger a chain of method calls that ultimately result in writing a webshell file to the modules/ps_facetedsearch/ directory. This webshell enables attackers to execute commands on the server and maintain persistent access to the compromised system.

The vulnerability manifests as a combination of insecure deserialization (cwe-502) and arbitrary file write (cwe-22) conditions, making it particularly dangerous in the context of web applications that process user input through unvalidated data flows. This issue aligns with attack techniques described in the mitre attack framework under initial access and execution phases, where attackers leverage application vulnerabilities to establish footholds within target environments. The fact that the vulnerability exists in a widely used e-commerce module amplifies its potential impact across numerous web applications.

Security mitigations for this vulnerability require immediate upgrade to version 4.0.4 or later, which implements proper input validation and sanitization measures. Organizations should also consider implementing web application firewalls with rules to detect and block suspicious deserialization patterns in URL parameters. Additionally, regular security audits of module code should include thorough review of serialization practices and input handling procedures. The fix addresses the root cause by ensuring that filter values are properly validated before being stored in cache, eliminating the possibility of malicious serialized objects being introduced into the system's data flow.

Responsible

GitHub M

Reservation

06/11/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!