CVE-2026-25482 Overview
CVE-2026-25482 is a stored DOM-based Cross-Site Scripting (XSS) vulnerability affecting Craft Commerce, the ecommerce platform for Craft CMS. The vulnerability exists in the "Recent Orders" dashboard widget, where the Order Status Name is rendered via JavaScript string concatenation without proper escaping. This allows malicious script execution when any administrator visits the dashboard, potentially compromising admin sessions and enabling unauthorized actions within the CMS.
Critical Impact
Stored XSS allows attackers to execute arbitrary JavaScript in the context of administrator sessions, potentially leading to session hijacking, privilege escalation, and unauthorized administrative actions within Craft Commerce installations.
Affected Products
- Craft Commerce versions 4.0.0-RC1 to 4.10.0
- Craft Commerce versions 5.0.0 to 5.5.1
- Craft CMS installations with affected Craft Commerce plugin versions
Discovery Timeline
- February 3, 2026 - CVE-2026-25482 published to NVD
- February 4, 2026 - Last updated in NVD database
Technical Details for CVE-2026-25482
Vulnerability Analysis
This stored DOM XSS vulnerability (CWE-79) stems from improper handling of user-controlled data in the Craft Commerce dashboard. The "Recent Orders" widget processes the Order Status Name through JavaScript string concatenation without implementing proper output encoding or escaping mechanisms. When an administrator navigates to the dashboard, the malicious payload stored in the Order Status Name field executes within the browser context, inheriting the administrator's session privileges.
The attack requires high privileges to inject the payload (such as the ability to modify order status names) but requires only passive user interaction—an administrator simply visiting the dashboard triggers the exploit. The impact extends to downstream systems, with high confidentiality and integrity impact on subsequent components, though the vulnerable system itself maintains its confidentiality and integrity boundaries.
Root Cause
The root cause is improper neutralization of input during web page generation (CWE-79). Specifically, the JavaScript code responsible for rendering the Recent Orders dashboard widget concatenates the Order Status Name directly into the DOM without sanitizing or escaping HTML special characters. This allows injection of arbitrary HTML and JavaScript tags that execute when the widget renders.
Attack Vector
The attack leverages the network-accessible Craft Commerce admin interface. An attacker with sufficient privileges to modify Order Status Names can inject malicious JavaScript payloads into these fields. The attack persists in the database and activates whenever any administrator views the Recent Orders dashboard widget, making this a stored XSS attack with cross-user impact.
The exploitation flow involves:
- Attacker gains access to modify Order Status Name values (requires elevated privileges)
- Attacker injects JavaScript payload into the Order Status Name field
- Payload is stored in the database
- Any administrator visiting the dashboard triggers script execution
- Malicious script runs with the victim administrator's session context
Detection Methods for CVE-2026-25482
Indicators of Compromise
- Unexpected JavaScript or HTML tags in Order Status Name fields within the database
- Unusual admin session behavior or unauthorized administrative actions following dashboard visits
- Browser console errors or unexpected script execution on the Craft Commerce dashboard
- Audit log entries showing modifications to Order Status configurations by unexpected users
Detection Strategies
- Implement Content Security Policy (CSP) headers to detect and block inline script execution
- Monitor database fields for suspicious HTML/JavaScript content patterns in order status tables
- Deploy Web Application Firewall (WAF) rules to detect XSS payload patterns in admin requests
- Enable and review Craft CMS audit logs for unusual administrative modifications
Monitoring Recommendations
- Configure real-time alerting for changes to Order Status configurations in Craft Commerce
- Monitor browser-side security events through CSP violation reports
- Implement integrity monitoring for critical Craft Commerce configuration tables
- Review admin user activity logs for anomalous dashboard access patterns
How to Mitigate CVE-2026-25482
Immediate Actions Required
- Upgrade Craft Commerce to version 4.10.1 or 5.5.2 immediately
- Audit existing Order Status Name fields for suspicious content or injected scripts
- Review admin user accounts for any unauthorized access or privilege escalation
- Implement Content Security Policy headers as an additional defense layer
Patch Information
Craft CMS has released patched versions that address this vulnerability. The fix implements proper output escaping for the Order Status Name when rendered in the Recent Orders dashboard widget.
| Affected Version Range | Patched Version |
|---|---|
| 4.0.0-RC1 to 4.10.0 | 4.10.1 |
| 5.0.0 to 5.5.1 | 5.5.2 |
For technical details on the fix, refer to:
Workarounds
- If immediate patching is not possible, implement strict Content Security Policy headers to prevent inline script execution
- Restrict administrative access to trusted users only and audit existing admin accounts
- Monitor and sanitize Order Status Name fields at the database level as a temporary measure
- Consider temporarily disabling the Recent Orders dashboard widget until patching is complete
# Example CSP header configuration for Apache
# Add to .htaccess or Apache configuration
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';"
# Example CSP header configuration for Nginx
# Add to server block configuration
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';";
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
