In PrestaShop versions 1.7 — 8.2.2, the Back Office password reset page could reveal a hidden field containing an administrator’s email address even when the reset token was invalid. In practice: if someone knows the admin URL, they can iterate id_employee values and obtain real admin e‑mail addresses. Fixed in 8.2.3.
A list of real admin e‑mail addresses is a useful starting point for phishing, targeted mailings, and attempts to take over accounts. This is not a full compromise, but it gives an attacker actionable information to use next.
What to do right now
-
Upgrade your store to PrestaShop 8.2.3 or higher. This is the definitive fix.
-
If you cannot upgrade immediately — restrict external access to the admin area: use an IP whitelist, VPN, or web‑server level authentication. Make the admin area available only from trusted source addresses.
-
Change the admin path if it’s a default one (
/admin,/admin123, etc.). It’s a simple step that makes automated scanning harder.
How to tell if your store is at risk
-
PrestaShop version is below 8.2.3 — you are vulnerable.
-
The admin area is accessible at an obvious path like
/admin— consider restricting and changing it. -
Server logs show many similar requests to the password reset form — someone may be probing admin emails.
If you run a PrestaShop store — updating to 8.2.3+ is mandatory. In addition, restrict external admin access, enable two‑factor authentication, and monitor logs. These are simple measures that meaningfully protect your store.
More >
