CVE-2024-41670

Name of the Vulnerable Software and Affected Versions PrestaShop versions prior to 6.4.2 PrestaShop 1.6 versions prior to 3.18.1

Description A logical weakness in the "PayPal Official" module for PrestaShop can be exploited by a malicious customer to confirm an order even if the payment is declined by PayPal. This issue occurs when webhooks are disabled during the capture of a payment, allowing a threat actor to create an accepted order with a fraudulent payment support.

Recommendations For PrestaShop versions prior to 6.4.2, update to version 6.4.2 to resolve the issue. For PrestaShop 1.6 versions prior to 3.18.1, update to version 3.18.1 to resolve the issue. As a temporary workaround, consider enabling webhooks and verifying they are callable to minimize the risk of exploitation.