CVE-2025-51586
Presta Shop vulnerable to email enumeration
Description
### Impact An unauthenticated attacker with access to the back-office URL can manipulate the id_employee and reset_token parameters to enumerate valid back-office employee email addresses. Impacted parties: Store administrators and employees: their email addresses are exposed. Merchants: risk of phishing, social engineering, and brute-force attacks targeting admin accounts. ### Patches PrestaShop 8.2.3 ### Workarounds You must upgrade, or at least apply the changes from the PrestaShop 8.2.3 patch. More information: https://build.prestashop-project.org/news/2025/prestashop-8-2-3-security-release/
How to fix CVE-2025-51586
To remediate CVE-2025-51586, upgrade the affected package to a fixed version below.
- —upgrade to 8.2.1 or later
- —upgrade to 8.2.3 or later
Is CVE-2025-51586 being exploited?
Low — EPSS is 1.0%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 8.2.1
- from 0, < 8.2.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.2 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N |