An unauthenticated attacker with access to the back-office URL can manipulate the id employee and reset token parameters to enumerate valid back-office employee email addresses.

Impacted parties: Store administrators and employees: their email addresses are exposed. Merchants: risk of phishing, social engineering, and brute-force attacks targeting admin accounts.

PrestaShop 8.2.3

You must upgrade, or at least apply the changes from the PrestaShop 8.2.3 patch. More information: https://build.prestashop-project.org/news/2025/prestashop-8-2-3-security-release/