CVE-2026-25486
Stored XSS in Craft Commerce Shipping Method Name Field
Publication date: 2026-02-03
Last updated on: 2026-02-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| craftcms | craft_commerce | From 5.0.0 (inc) to 5.5.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-25486 is a stored Cross-Site Scripting (XSS) vulnerability in Craft Commerce versions from 5.0.0 to 5.5.1. It occurs because the Shipping Methods Name field in the Store Management section is not properly sanitized before being displayed in the admin panel.'}, {'type': 'paragraph', 'content': "This allows an attacker with access to the control panel and permissions to manage store settings and shipping to inject malicious JavaScript code that executes in an administrator's browser."}, {'type': 'paragraph', 'content': 'The vulnerability can be exploited by entering a malicious payload into the Shipping Methods Name field, which is then stored and executed when an administrator views the page.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can lead to the execution of malicious JavaScript in an administrator's browser, potentially allowing attackers to escalate their privileges."}, {'type': 'paragraph', 'content': 'An attacker can use this to modify their user permissions to gain administrator rights by exploiting an active elevated session.'}, {'type': 'paragraph', 'content': 'Additionally, attackers can deploy phishing attacks such as fake "Session Expired" login modals to steal administrator credentials.'}, {'type': 'paragraph', 'content': 'Overall, this can result in unauthorized administrative access, compromising the security and integrity of the ecommerce platform.'}] [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by verifying if the Shipping Methods Name field in the Craft Commerce Store Management section contains malicious JavaScript payloads. Specifically, an administrator can test by attempting to input a payload such as <img src=x onerror="alert(document.domain)"> in the Shipping Methods Name field and observing if the script executes when viewing the admin panel.'}, {'type': 'paragraph', 'content': 'Detection involves logging into the admin panel with appropriate permissions, navigating to Commerce → Store Management → Shipping Methods, and checking for any suspicious or unexpected script tags or JavaScript code in the Name field.'}, {'type': 'paragraph', 'content': 'There are no specific network commands provided to detect this vulnerability, but monitoring for unusual POST requests to /admin/users/<UserID>/permissions or unexpected privilege escalations in administrator sessions may help identify exploitation attempts.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Craft Commerce to version 5.5.2 or later, where this stored XSS vulnerability has been patched.
Additionally, restrict access to the control panel and store management permissions to trusted administrators only, as exploitation requires an active administrator session with elevated privileges.
Monitor and audit the Shipping Methods Name field for any suspicious entries and remove any untrusted or unexpected content.
Consider implementing additional security controls such as Content Security Policy (CSP) headers to reduce the impact of potential XSS attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to execute malicious JavaScript in an administrator’s browser via stored XSS, potentially leading to privilege escalation and unauthorized access to administrative functions.
Such unauthorized access and privilege escalation could lead to exposure or manipulation of sensitive data managed through the ecommerce platform, which may impact compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive information.
However, the provided information does not explicitly discuss compliance impacts or specific regulatory considerations.