A new security update has just been released for PrestaShop. Version 8.2.3, available since September 4, 2025, fixes a vulnerability in the back-office password reset feature that allowed attackers to discover employees' email addresses. Although considered limited, this flaw is currently being exploited in the wild, making the update essential for all merchants still on the 8.2.x branch.
Key takeaways:
- A flaw allowed email enumeration on the back-office reset page.
- PrestaShop 8.2.3 permanently fixes the issue through stronger parameter validation.
- Shops running PrestaShop 9 are not affected.
- Temporary measures (VPN, masked URL, 2FA, WAF) can reduce risk, but only updating resolves the issue.
The vulnerability: an email leak via the reset page
The issue affected only the 8.2.x branch, now in extended support. Without authentication, an attacker could test combinations of parameters (id_employee and reset_token) to detect which employee accounts existed and obtain their email address. This so-called email enumeration technique paved the way for targeted phishing or later access attempts.
The fix introduced in 8.2.3 now requires:
- that the identifier used and the token are provided together;
- that the object used actually exists;
- that the provided token exactly matches the one stored in the database;
Outside of that case, no information is returned by the reset page.
How to protect yourself
The official recommendation is clear: update to 8.2.3 or apply the manual patch provided by PrestaShop if migration is not immediate. Administrators can also limit exposure to opportunistic attacks with several additional measures:
- restrict access to the back office via VPN or allowed IP lists;
- add an extra HTTP authentication layer;
- hide or customize the back-office access URL;
- Enable a two-factor authentication (2FA) module for employee accounts;
- Monitor the logs for suspicious requests involving the reset_token or id_employee parameters.
Towards PrestaShop 9: stronger security
The teams remind that PrestaShop 9, based on Symfony 6.4 and a brand new authentication flow, is not affected by this issue. This context confirms the roadmap: the 8.2.x branch will now receive only security fixes, and merchants must plan their migration to version 9 to benefit from functional improvements and its hardened architecture.
The article "PrestaShop 8.2.3 fixes a critical security vulnerability: update without delay" has been published on the site Abondance.
