CVE-2026-25482
Stored DOM XSS in Craft Commerce Dashboard Widget Allows Admin Script Execution
Publication date: 2026-02-03
Last updated on: 2026-02-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| craftcms | craft_commerce | From 4.0.1 (inc) to 4.10.1 (exc) |
| craftcms | craft_commerce | From 5.0.0 (inc) to 5.5.2 (exc) |
| craftcms | craft_commerce | 4.0.0 |
| craftcms | craft_commerce | 4.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-25482 is a stored DOM-based Cross-Site Scripting (XSS) vulnerability in the CraftCMS Commerce plugin, specifically in the "Recent Orders" dashboard widget.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the Order Status Name is rendered via JavaScript string concatenation without proper escaping. This means that if an attacker with admin permissions sets the Order Status Name to a malicious script, that script will execute when any admin views the dashboard.'}, {'type': 'paragraph', 'content': "The root cause is that the Order Status Name is directly inserted into the HTML string without sanitization, allowing malicious scripts embedded in the status name to run in the admin's browser."}, {'type': 'paragraph', 'content': 'This issue affects versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, and has been patched in versions 4.10.1 and 5.5.2.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability allows an attacker with admin permissions to inject malicious scripts into the Order Status Name.'}, {'type': 'paragraph', 'content': 'When any admin visits the dashboard with the "Recent Orders" widget displaying orders with the malicious status, the script executes in their browser.'}, {'type': 'paragraph', 'content': 'This can lead to unauthorized actions such as session hijacking, data theft, or other malicious activities performed in the context of the admin user.'}, {'type': 'paragraph', 'content': 'Because exploitation requires admin access to create or edit Order Statuses, the risk is limited to scenarios where an attacker already has elevated privileges.'}] [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your Craft Commerce installation is running a vulnerable version (from 4.0.0-RC1 to 4.10.0 or from 5.0.0 to 5.5.1) and by inspecting the Order Status Names for malicious script payloads.'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves stored DOM XSS in the "Recent Orders" dashboard widget, detection involves verifying if any Order Status Names contain suspicious or malicious JavaScript code.'}, {'type': 'paragraph', 'content': 'Suggested commands or steps include:'}, {'type': 'list_item', 'content': "Query the database for Order Status Names containing suspicious HTML or JavaScript tags, for example using SQL commands like: SELECT * FROM order_statuses WHERE name LIKE '%<script%' OR name LIKE '%onerror=%';"}, {'type': 'list_item', 'content': 'Check the version of Craft Commerce installed by running: composer show craftcms/commerce or checking the version in the admin dashboard.'}, {'type': 'list_item', 'content': 'Manually review the "Recent Orders" dashboard widget for unexpected script execution or unusual behavior when viewing orders with custom statuses.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation steps are to update Craft Commerce to a patched version where this vulnerability is fixed.
- Upgrade to version 4.10.1 or later if you are on the 4.x branch.
- Upgrade to version 5.5.2 or later if you are on the 5.x branch.
If immediate upgrade is not possible, review and sanitize all Order Status Names to remove any malicious scripts or HTML tags.
The underlying fix involves escaping the Order Status Name and color using the Craft.escapeHtml() function in the JavaScript rendering code to prevent script execution.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a stored DOM-based Cross-Site Scripting (XSS) issue that allows script execution in the admin dashboard when viewing recent orders with a malicious Order Status Name.
Such XSS vulnerabilities can lead to unauthorized script execution, potentially exposing sensitive administrative interfaces or data.
While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, XSS vulnerabilities generally pose risks to data confidentiality and integrity, which are critical aspects of these regulations.
Therefore, if exploited, this vulnerability could undermine compliance by enabling attackers to execute unauthorized scripts, possibly leading to data breaches or unauthorized access.
Mitigation by updating to patched versions (4.10.1 or 5.5.2) is necessary to maintain compliance and secure handling of sensitive data.