CVE-2026-25485: Craft Commerce Stored XSS Vulnerability

CVE-2026-25485 Overview

CVE-2026-25485 is a stored Cross-Site Scripting (XSS) vulnerability affecting Craft Commerce, the ecommerce platform for Craft CMS. The vulnerability allows attackers with administrative access to inject malicious JavaScript code through the Shipping Categories fields (Name & Description) in the Store Management section. When other administrators view these fields, the malicious scripts execute in their browsers, potentially leading to session hijacking, account compromise, or further attacks against the administrative infrastructure.

Critical Impact

Attackers can execute arbitrary JavaScript in administrator browsers, potentially compromising admin sessions, stealing credentials, or performing unauthorized actions within the Craft Commerce admin panel.

Affected Products

• Craft Commerce versions 4.0.0-RC1 through 4.10.0
• Craft Commerce versions 5.0.0 through 5.5.1
• Craft CMS installations running vulnerable Craft Commerce versions

Discovery Timeline

• 2026-02-03 - CVE CVE-2026-25485 published to NVD
• 2026-02-04 - Last updated in NVD database

Technical Details for CVE-2026-25485

Vulnerability Analysis

This stored XSS vulnerability (CWE-79) occurs due to improper input sanitization in the Craft Commerce admin panel. When administrators create or modify Shipping Categories in the Store Management section, the Name and Description fields accept user input without proper encoding or sanitization. The stored malicious content is then rendered unsafely when other administrators view these shipping categories, causing JavaScript execution in their browser context.

The attack requires the attacker to have administrative privileges to create or edit shipping categories, making this a post-authentication attack. However, once the malicious payload is stored, it persistently affects any administrator who views the compromised shipping category entries.

Root Cause

The vulnerability stems from insufficient output encoding in the Craft Commerce admin panel templates. When rendering Shipping Category data (specifically the Name and Description fields), the application fails to properly escape HTML entities and JavaScript code before inserting the content into the DOM. This allows attackers to inject script tags or event handlers that execute when the page is rendered.

Attack Vector

The attack is network-based and requires authenticated access with administrative privileges. An attacker must first gain access to the Craft Commerce admin panel, then navigate to the Store Management section where Shipping Categories can be created or modified. By inserting JavaScript code into the Name or Description fields—such as <script> tags or event handler attributes—the attacker plants a persistent payload.

When another administrator views the shipping categories list or edits the malicious entry, the unsanitized content renders in their browser, executing the attacker's JavaScript. This can be used to steal session cookies, perform actions on behalf of the victim administrator, or redirect them to phishing pages.

The vulnerability mechanism involves improper sanitization of user-supplied input in Shipping Category fields. When an administrator enters malicious JavaScript in the Name or Description fields, this content is stored in the database without proper validation. Subsequently, when the admin panel renders these fields for viewing, the content is inserted into the HTML without adequate output encoding, allowing script execution. For complete technical details, see the GitHub Security Advisory.

Detection Methods for CVE-2026-25485

Indicators of Compromise

• Shipping Category entries containing HTML tags, <script> elements, or JavaScript event handlers
• Unusual characters or encoded payloads in Name or Description fields (e.g., %3Cscript%3E, javascript:, onerror=)
• Administrator reports of unexpected browser behavior when accessing Store Management pages
• Web application firewall logs showing XSS payload patterns in POST requests to shipping category endpoints

Detection Strategies

• Implement Web Application Firewall (WAF) rules to detect XSS patterns in requests to /admin/commerce/store-management/ endpoints
• Monitor database tables storing Shipping Category data for suspicious HTML/JavaScript content
• Enable Content Security Policy (CSP) headers to detect and block inline script execution
• Review application logs for POST requests modifying shipping categories with abnormal payload sizes

Monitoring Recommendations

• Configure alerting for CSP violation reports indicating blocked inline scripts in the admin panel
• Audit administrator activity logs for bulk modifications to shipping categories
• Implement regular database scans for stored XSS indicators in user-controllable fields
• Monitor for unusual session activity following admin panel access, which may indicate session theft

How to Mitigate CVE-2026-25485

Immediate Actions Required

• Upgrade Craft Commerce to version 4.10.1 or 5.5.2 immediately
• Audit existing Shipping Category entries for potentially malicious content
• Review administrator access logs for suspicious activity
• Consider temporarily restricting access to Store Management features until patching is complete

Patch Information

Craft CMS has released patched versions that properly sanitize the Shipping Categories fields before rendering. The fix is available in Craft Commerce version 4.10.1 for the 4.x branch and version 5.5.2 for the 5.x branch. The specific code changes can be reviewed in the commit fa273330807807d05b564d37c88654cd772839ee.

Workarounds

• Implement strict Content Security Policy headers to prevent inline script execution in the admin panel
• Use WAF rules to block requests containing XSS payloads to admin endpoints
• Limit administrative access to trusted users only and enable multi-factor authentication
• Regularly audit shipping category content for suspicious entries until patches can be applied

# Example Content Security Policy header configuration for nginx
# Add to server block for admin panel
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none';" always;