This vulnerability does not require authentication and can lead to unauthorized code execution on your server. Any shop running an affected version is exposed. Update to
v4.0.4 now.
What Is the Vulnerability?
A security flaw has been identified in the ps_facetedsearch (Faceted Search) module. It allows specially crafted HTTP requests to be processed in an unsafe manner, potentially enabling an attacker to execute arbitrary code on your server — without needing to log in.
Given the widespread use of this module for product filtering, this is classified as high priority for all merchants.
ps_facetedsearch 3.0.0 – 4.0.3 on PrestaShop 1.7.1.0 or newer.Fixed in:
ps_facetedsearch 4.0.4 — update immediately.Full advisory: GHSA-m5f5-28qr-9g9r
How to Update
Open Module Manager
In your Back Office go to Modules → Module Manager and search for Faceted Search.
Install the Update
Click Update to install version 4.0.4. If the update does not appear, download it manually and upload via Upload a module.
Verify the Version
After updating, confirm that the module version shown in Back Office is 4.0.4 or higher.
If You Cannot Update Immediately
If you are blocked by customizations or other constraints, you can apply the fix directly from source. The patch is contained in a single commit:
View the fix commit on GitHub →
v4.0.4 as soon as possible.Check for Signs of Compromise
If your shop ran an affected version, it is important to verify that no unauthorized access occurred:
- Look for unexpected PHP files in the
modules/ps_facetedsearch/directory. - Review server access logs for unusual or repeated requests targeting the module.
- Check Advanced Parameters → Information in your Back Office for any changed core files.
Additional Security Recommendations
- Web Application Firewall (WAF): Blocks malicious requests before they reach your store. Services like Cloudflare offer managed WAF rules.
- Restrict Dangerous PHP Functions: Disable functions such as
exec,shell_exec,passthruin yourphp.iniif not needed. - Regular Updates & Backups: Keep PrestaShop core and all modules up to date. Maintain automated daily backups.
- Monitor Security Advisories: Follow the PrestaShop security advisories and the Friends of Presta security tracker.
✅ Summary
If you are running ps_facetedsearch 3.0.0 – 4.0.3, update to v4.0.4 immediately. Check your server for signs of past compromise. Implement a WAF and review your update process to catch future vulnerabilities faster.