PrestaShop AdminLogin Email Enumeration PoC - CVE-2025-51586. This repository provides an ethical Proof-of-Concept (PoC) for the PrestaShop vulnerability allowing user enumeration through the AdminLogin password reset mechanism. It explains the impact, setup, and usage of the PoC script.<h1 align="center">CVE-2025-51586 - PrestaShop AdminLogin Email Enumeration PoC</h1>
<p align="center">
<img src="https://github.com/7h30th3r0n3/CVE-2025-51586-PrestaShop-PoC/blob/main/img/prestaa.png" width="180" alt="PrestaShop Logo" />
</p>
<hr />
<h2>📌 Overview</h2>
<p>This repository contains an <strong>ethical Proof-of-Concept (PoC)</strong> for the vulnerability
<a href="https://security.friendsofpresta.org/core/2025/09/04/CVE-2025-51586.html">CVE-2025-51586</a>,
affecting <strong>PrestaShop</strong> versions <strong>1.7.x — 8.2.2</strong>.</p>
<p>The PoC enumerates administrator email addresses via the Back Office password reset mechanism (<code>AdminLogin</code> controller).</p>
<hr />
<h2>📝 Vulnerability Summary</h2>
User enumeration vulnerability in the AdminLogin controller in PrestaShop 1.7 through 8.2.2 allows remote attackers to obtain administrators user email addresses via manipulation of the id_employee and reset_token parameters. An attacker who has access to the Back Office login URL can trigger the password reset form to disclose the associated email address in a hidden field, even when the provided reset token is invalid. This issue has been fixed in 8.2.3.</br></br>
<ul>
<li><strong>CVE ID:</strong> <a href="https://security.friendsofpresta.org/core/2025/09/04/CVE-2025-51586.html">CVE-2025-51586</a></li>
<li><strong>Affected Software:</strong> PrestaShop</li>
<li><strong>Versions:</strong> 1.7.x – 8.2.2</li>
<li><strong>Fixed in:</strong> 8.2.3</li>
<li><strong>Impact:</strong> Email enumeration (information disclosure)</li>
<li><strong>Attack vector:</strong> Unauthenticated GET/POST to the reset endpoint</li>
</ul>
<h3>How it works</h3>
<ol>
<li>Send a request to the reset page, e.g. <code>https://domain.tld/admin/index.php?controller=AdminLogin&reset=1</code></li>
<li>Provide a valid <code>id_employee</code> and an invalid <code>reset_token</code></li>
<li>If the ID exists, the response contains a hidden field: <code><input name="reset_email" value="admin@domain.tld"></code></li>
<li>Iterate IDs to enumerate admin emails</li>
</ol>
<hr />
<h2>📚 References & Credit</h2>
<p>Official advisory: <a href="https://security.friendsofpresta.org/core/2025/09/04/CVE-2025-51586.html">Friends of Presta Security</a></p>
<p>Reported by <strong>Friends of Presta Security Team</strong> (advisory published September 4, 2025).</p>
<hr />
<h2>⚠️ Legal Notice</h2>
<p><strong>This PoC is for educational and authorized testing only.</strong> Use only on systems you own or where you have explicit permission. The author and contributors are not responsible for misuse.</p>
<hr />
<h2>📦 Installation</h2>
<p>Clone and install dependencies:</p>
<pre><code>git clone https://github.com/7h30th3r0n3/CVE-2025-51586-PrestaShop-PoC.git
cd CVE-2025-51586-PrestaShop-PoC
pip install requests beautifulsoup4 rich
</code></pre>
<h2>🖥️ Usage (CLI)</h2>
<pre><code>python3 cve_2025_51586_enum.py \
-u "https://target/admin/index.php?controller=AdminLogin&reset=1" \
-s 1 -e 100 -m POST -t invalidtoken123 --delay 0.5 --timeout 10 --export results.csv
</code></pre>
<hr />
<h2>✍️ Author</h2>
<p>PoC developed by <strong>7h30th3r0n3</strong>. Vulnerability discovered by <strong>Friends of Presta Security Team</strong>.</p>
<!-- End -->
[4.0K] /data/pocs/4bff7c3bfc6603aa47d0834cf9187d70a65ef927
├── [ 10K] CVE-2025-51586.py
├── [4.0K] img
│ ├── [326K] prestaa.png
│ └── [ 20] README.md
└── [3.3K] README.md
2 directories, 4 files