CVE-2026-25483 Overview
A stored Cross-Site Scripting (XSS) vulnerability exists in Craft Commerce, an ecommerce platform for Craft CMS. The vulnerability is present in the Order Status History Message feature, where the message is rendered using the |md filter, which permits raw HTML and enables malicious script execution. This flaw allows attackers to inject and execute arbitrary JavaScript code within the context of authenticated user sessions.
Critical Impact
If a user has database backup utility permissions (which do not require an elevated session), an attacker can exfiltrate the entire database, including all user credentials, customer PII, order history, and 2FA recovery codes.
Affected Products
- Craft Commerce versions 4.0.0-RC1 to 4.10.0
- Craft Commerce versions 5.0.0 to 5.5.1
Discovery Timeline
- 2026-02-03 - CVE CVE-2026-25483 published to NVD
- 2026-02-04 - Last updated in NVD database
Technical Details for CVE-2026-25483
Vulnerability Analysis
This stored XSS vulnerability occurs due to improper output encoding in the Craft Commerce Order Status History Message functionality. The application uses the Twig |md (markdown) filter to render user-supplied content, which permits raw HTML to pass through unescaped. When an attacker injects malicious JavaScript into an order status message, the script persists in the database and executes whenever any authenticated user views the affected order status.
The vulnerability is particularly dangerous because it operates within the authenticated administrative context of Craft CMS. Successful exploitation allows attackers to perform actions on behalf of administrative users, including accessing sensitive configuration data, modifying content, and—most critically—triggering database backup operations to exfiltrate sensitive information.
Root Cause
The root cause is missing output encoding on the orderStatus.name variable in the order status template. The vulnerable code path renders the order status name using |t('site') for translation but fails to apply proper HTML entity encoding before output. This allows HTML and JavaScript content injected into the order status name to be rendered as executable code rather than safe text.
Attack Vector
The attack requires network access and low-privilege authentication to Craft Commerce's administrative interface. An authenticated attacker can inject malicious JavaScript payloads into order status messages. When other users (particularly those with elevated permissions such as database backup access) view the order status history, the stored script executes in their browser session. The attacker can then leverage the victim's session to perform privileged operations, including database exfiltration.
url: orderStatus.cpEditUrl,
html: orderStatus.labelHtml|raw
},
- title: orderStatus.name|t('site'),
+ title: orderStatus.name|t('site')|e,
url: orderStatus.cpEditUrl,
handle: orderStatus.handle|e,
hasEmails: orderStatus.emails|length ?:'',
Source: GitHub Commit Update
Detection Methods for CVE-2026-25483
Indicators of Compromise
- Unexpected <script> tags or JavaScript event handlers (such as onerror, onload) in order status message fields within the database
- Anomalous outbound HTTP requests from administrative user browsers to unknown external domains
- Unusual database backup operations initiated by accounts that do not typically perform such actions
- Browser console errors or unexpected network activity when viewing order status history pages
Detection Strategies
- Implement Content Security Policy (CSP) headers to detect and block inline script execution
- Monitor web application firewall (WAF) logs for XSS payload patterns in POST requests to order status endpoints
- Audit database content periodically for HTML or script injection patterns in order status fields
- Review Craft CMS access logs for unusual patterns of order status page access followed by database backup operations
Monitoring Recommendations
- Enable detailed logging for Craft Commerce administrative actions, particularly order status modifications
- Configure browser security features and CSP violation reporting to capture attempted script executions
- Monitor for bulk data access patterns that may indicate database exfiltration attempts
- Implement real-time alerting for database backup utility usage, especially from sessions that recently viewed order status pages
How to Mitigate CVE-2026-25483
Immediate Actions Required
- Upgrade Craft Commerce to version 4.10.1 or 5.5.2 immediately
- Review order status history messages for any suspicious HTML or JavaScript content and sanitize if found
- Audit recent database backup activity and verify legitimacy of all backup operations
- Consider temporarily restricting database backup permissions until the patch is applied
Patch Information
The vulnerability has been addressed in Craft Commerce versions 4.10.1 and 5.5.2. The fix applies proper output encoding using the Twig |e (escape) filter to the orderStatus.name variable, preventing injected HTML and JavaScript from being rendered as executable code. The patched code transforms user-supplied content into safe HTML entities before output.
Patch details are available in the GitHub commit. Release notes can be found at GitHub Release 4.10.1 and GitHub Release 5.5.2.
Workarounds
- If immediate patching is not possible, manually apply the escape filter (|e) to orderStatus.name output in affected template files
- Implement strict Content Security Policy headers to block inline script execution as a defense-in-depth measure
- Temporarily revoke database backup permissions from non-essential users until the patch can be deployed
- Consider placing Craft Commerce administrative interfaces behind additional authentication or network restrictions
# Example CSP header configuration for Nginx to mitigate XSS impact
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self';" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
