The PrestaShop team has released a security update for the Faceted Search (ps_facetedsearch) module. Store owners are strongly advised to update the module to version 4.0.4 as soon as possible, as the resolved vulnerability has been classified as high severity.
Overview of the Issue
A security vulnerability has been discovered in the module that, under certain conditions, could allow an attacker to send specially crafted requests and execute unauthorized code on the server.
The vulnerability is particularly serious because it does not require access to the Back Office or any user authentication. As a result, any store running an affected version of the module may be exposed to potential attacks.
Affected Versions
The issue affects ps_facetedsearch versions 3.0.0 through 4.0.3 inclusive on stores running PrestaShop 1.7.1.0 and later.
The vulnerability has been fixed in version 4.0.4.
Given the widespread adoption of the Faceted Search module across the PrestaShop ecosystem and the fact that no authentication is required to exploit the vulnerability, this update should be considered a high priority for all merchants using the module.
Required Action
If your store uses the Faceted Search module:
- Open the Modules section in your Back Office.
- Check for available updates for Faceted Search.
- Update the module to version 4.0.4.
- Verify that the installed version displayed in the Back Office is 4.0.4 or later.
If the update is not yet available through the Back Office, it is recommended to manually install the latest release from the official PrestaShop repository.
If You Cannot Update Immediately
Some stores may rely on heavily customized versions of the module or operate under strict deployment procedures. In such cases, PrestaShop has provided an official fix that can be applied manually.
However, this approach should only be considered a temporary measure. Upgrading to version 4.0.4 remains the recommended solution, as it includes not only the security fix but also other improvements and bug fixes released since previous versions.
Check Your Store for Signs of Compromise
If your store has been running an affected version for an extended period, it is advisable to perform a security review.
Pay particular attention to:
- Unknown PHP files located within the
modules/ps_facetedsearch/directory. - Suspicious or unusual requests in your web server logs targeting the module.
- File modifications that cannot be explained by normal store operations or authorized maintenance activities.
If evidence of compromise is found, updating the module alone is not sufficient. A full security investigation should be conducted, and administrative credentials should be changed after the store has been verified as clean.
Additional Security Recommendations
In addition to updating the module, PrestaShop recommends implementing several security best practices:
- Deploy a Web Application Firewall (WAF).
- Use CDN and reverse-proxy protection services such as Cloudflare.
- Restrict potentially dangerous PHP functions, including
exec,system,shell_exec,passthru,proc_open, andpopen. - Keep the PrestaShop core and all installed modules up to date.
- Maintain regular backups of both files and databases.
- Monitor official security advisories and community announcements.
If your store is running ps_facetedsearch version 3.0.0 or later, you should upgrade to version 4.0.4 without delay.
The vulnerability can be exploited without authentication and may lead to unauthorized code execution on the server. Store owners are also encouraged to review their systems for signs of previous malicious activity and strengthen their overall security posture to reduce future risks.