CVE-2026-25482 in Craft
Summary
by MITRE • 02/03/2026
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored DOM XSS vulnerability exists in the "Recent Orders" dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper escaping, allowing script execution when any admin visits the dashboard. This issue has been patched in versions 4.10.1 and 5.5.2.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/19/2026
This vulnerability affects Craft Commerce, a popular e-commerce platform built for Craft CMS, specifically targeting versions within the 4.x and 5.x release lines. The security flaw manifests in the "Recent Orders" dashboard widget where user-controlled data is improperly handled, creating a persistent cross-site scripting attack vector that can compromise administrative sessions. The vulnerability stems from inadequate input sanitization and output escaping mechanisms within the JavaScript rendering pipeline, allowing malicious actors to inject malicious scripts that execute in the context of admin users' browsers. This represents a critical security risk as it enables attackers to gain unauthorized access to administrative functions and potentially compromise the entire e-commerce platform.
The technical implementation of this vulnerability involves JavaScript string concatenation operations that fail to properly escape user-supplied Order Status Name values before rendering them in the dashboard interface. When administrators visit the dashboard page, their browsers execute the malicious JavaScript code embedded within the stored order status names, bypassing standard security measures that typically protect against such attacks. The vulnerability is classified as a stored DOM XSS (CWE-79) because the malicious payload is stored on the server and executed when victims view the affected page, rather than being delivered through a single request. This particular weakness falls under the ATT&CK framework's technique T1059.007 for Command and Scripting Interpreter: JavaScript, as it leverages JavaScript execution capabilities within the browser environment.
The operational impact of this vulnerability extends beyond simple data theft or defacement, as it allows attackers to perform administrative actions on behalf of legitimate users. An attacker who successfully exploits this vulnerability could modify product information, adjust pricing, access customer data, manipulate order statuses, or even escalate privileges within the platform. The persistent nature of stored XSS means that every administrator who visits the dashboard becomes a potential victim, creating a continuous attack surface that can be exploited over extended periods. This vulnerability particularly affects e-commerce environments where administrative access is critical for maintaining business operations and customer data integrity.
Organizations using affected Craft Commerce versions should immediately implement the provided security patches, upgrading to version 4.10.1 or 5.5.2 to resolve the vulnerability. Additionally, administrators should conduct thorough security audits of their dashboard widgets and input validation mechanisms to identify similar vulnerabilities. The mitigation strategy should include implementing Content Security Policy headers to limit script execution capabilities, regular monitoring of dashboard widgets for suspicious activity, and comprehensive staff training on recognizing potential XSS attack vectors. Security teams should also consider implementing web application firewalls to detect and block malicious script injection attempts, while establishing incident response procedures specifically tailored to address cross-site scripting vulnerabilities in administrative interfaces.