CVE-2026-25485
Stored XSS in Craft Commerce Shipping Categories Allows Admin Hijack
Publication date: 2026-02-03
Last updated on: 2026-02-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| craftcms | craft_commerce | From 4.0.1 (inc) to 4.10.1 (exc) |
| craftcms | craft_commerce | From 5.0.0 (inc) to 5.5.2 (exc) |
| craftcms | craft_commerce | 4.0.0 |
| craftcms | craft_commerce | 4.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
CVE-2026-25485 is a stored Cross-Site Scripting (XSS) vulnerability in Craft Commerce that affects the Shipping Categories fields (Name and Description) in the Store Management section.
The vulnerability occurs because these fields are not properly sanitized before being displayed in the admin control panel, allowing attackers to inject malicious JavaScript code.
When an administrator views the affected page, the malicious script executes in their browser.
This can be exploited by an attacker who has access to the control panel with permissions to manage store settings and shipping, and an active administrator session.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can lead to arbitrary JavaScript execution in an administrator's browser, which can be used to perform malicious actions."}, {'type': 'paragraph', 'content': 'An attacker can exploit this to escalate their privileges by injecting payloads that modify user permissions, potentially granting themselves administrator rights.'}, {'type': 'paragraph', 'content': 'Additionally, attackers can automate attacks by forcing logout and re-authentication or by creating fake login modals to capture administrator credentials.'}] [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by verifying if your Craft Commerce installation is running a vulnerable version (>= 4.0.0-RC1 and <= 4.10.0 or >= 5.0.0 and <= 5.5.1) and by checking the Shipping Categories fields (Name and Description) in the Store Management section for malicious JavaScript payloads.
A practical detection method involves logging into the admin panel with appropriate permissions and inspecting the Shipping Categories entries for suspicious scripts such as payloads containing <img src=x onerror=...>.
There are no specific network commands provided to detect this vulnerability, but manual inspection or automated scanning of the Store Management -> Shipping Categories fields for script injection can help identify exploitation.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Craft Commerce to a patched version: 4.10.1 or later in the 4.x series, or 5.5.2 or later in the 5.x series.
Additionally, restrict access to the admin control panel and ensure only trusted users have permissions to manage store settings and shipping categories.
As a temporary measure, review and sanitize existing Shipping Categories entries to remove any malicious scripts.