Executive Summary

CVE-2026-25483 is a stored Cross-Site Scripting (XSS) vulnerability in Craft Commerce, an ecommerce platform for Craft CMS. It affects versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1. The vulnerability exists in the Order Status History Message feature, where messages are rendered using the Twig |md filter that allows raw HTML without sanitization. This permits malicious scripts to be executed.

An attacker with access to the control panel and permissions to manage orders and use the database backup utility (which does not require an elevated session) can inject a crafted XSS payload into the Status Message field of an order. When an admin views the order page, the malicious script executes, triggering a full database backup and exfiltrating sensitive data to an attacker-controlled server.

• The attacker logs into the admin panel.
• They create or edit an order, injecting the XSS payload into the Status Message.
• The payload uses a malicious HTML tag with an onerror handler to fetch and send the database backup.
• When an admin views the order page, the payload executes and exfiltrates the database.

The root cause is the lack of HTML sanitization in the |md Twig filter used to render order status messages, allowing embedded scripts to run.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including full database compromise. An attacker can exfiltrate the entire database, which includes:

• User credentials
• Customer personally identifiable information (PII)
• Order history
• Two-factor authentication (2FA) recovery codes
• GraphQL tokens
• Transaction records
• Coupon codes
• Potentially payment gateway secrets

This exposure can lead to unauthorized access, data theft, fraud, and significant damage to business operations and reputation.

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your Craft Commerce installation is running a vulnerable version (from 4.0.0-RC1 to 4.10.0 or from 5.0.0 to 5.5.1) and by inspecting the Order Status History Message feature for injected malicious scripts.'}, {'type': 'paragraph', 'content': 'Specifically, detection involves verifying if the order status messages are rendered using the Twig |md filter without sanitization, which allows raw HTML and script execution.'}, {'type': 'paragraph', 'content': 'You can also monitor network traffic for suspicious POST requests sending large zipped database backups to unknown external servers, which may indicate exploitation attempts.'}, {'type': 'paragraph', 'content': 'While no explicit commands are provided, you can use the following approaches:'}, {'type': 'list_item', 'content': 'Check the installed Craft Commerce version via your system or application interface or by running commands like `composer show craftcms/commerce` if using Composer.'}, {'type': 'list_item', 'content': "Search the database for suspicious content in the order status history messages, for example by querying the database with SQL commands like: `SELECT message FROM order_status_history WHERE message LIKE '%<img%onerror=%';` to find injected XSS payloads."}, {'type': 'list_item', 'content': 'Monitor web server logs and network traffic for unusual POST requests to external IPs or domains, which may indicate data exfiltration.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading Craft Commerce to a patched version: 4.10.1 or later, or 5.5.2 or later.

Additionally, sanitize the Order Status History Message rendering by applying an HTML purifier filter or escaping HTML before Markdown processing in the Twig templates, for example using `{{ orderHistory.message | md | purify }}` or `{{ orderHistory.message | e | md }}`.

Restrict permissions to the database backup utility by requiring elevated sessions to reduce the risk of exploitation.

Review and harden user permissions to ensure only trusted users have access to order management and database backup features.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker to exfiltrate the entire database, including user credentials, customer personally identifiable information (PII), order history, and 2FA recovery codes.

Exposure of customer PII and sensitive authentication data can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require the protection of personal and sensitive information.

Because the vulnerability enables unauthorized access and extraction of sensitive data without elevated session requirements, it poses a significant risk to maintaining compliance with these standards.

Useful 0 Not Useful 0