CVE-2026-25487
Stored XSS in Craft Commerce Tax Rates Allows Admin Browser Attack
Publication date: 2026-02-03
Last updated on: 2026-02-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| craftcms | craft_commerce | From 4.0.1 (inc) to 4.10.1 (exc) |
| craftcms | craft_commerce | From 5.0.0 (inc) to 5.5.2 (exc) |
| craftcms | craft_commerce | 4.0.0 |
| craftcms | craft_commerce | 4.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-25487 is a stored Cross-Site Scripting (XSS) vulnerability in Craft Commerce, an ecommerce platform for Craft CMS. It affects versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1. The vulnerability occurs because the 'Name' field of Tax Rates in the Store Management section is not properly sanitized before being displayed in the admin panel."}, {'type': 'paragraph', 'content': "This allows an attacker with access to the control panel and permissions to manage store settings and taxes to inject malicious JavaScript code into the 'Name' field. When an administrator views the tax rates page, the malicious script executes in their browser."}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'The vulnerability can lead to several serious impacts:'}, {'type': 'list_item', 'content': "Execution of malicious JavaScript in an administrator's browser, potentially compromising their session."}, {'type': 'list_item', 'content': 'Privilege escalation to administrator level if an elevated admin session is active, allowing attackers to gain full admin permissions.'}, {'type': 'list_item', 'content': 'Attackers can display fake login modals to trick administrators into submitting their credentials, leading to credential theft.'}] [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by checking if the Craft Commerce installation is running a vulnerable version (from 4.0.0-RC1 to 4.10.0 or from 5.0.0 to 5.5.1) and by inspecting the Tax Rates 'Name' field in the Store Management section for malicious JavaScript payloads."}, {'type': 'paragraph', 'content': 'One practical way to detect exploitation is to look for suspicious payloads such as <img src=x onerror="alert(document.domain)"> or similar JavaScript injections in the Tax Rates \'Name\' field.'}, {'type': 'paragraph', 'content': 'Since this is a stored XSS vulnerability, monitoring HTTP requests and responses to the admin panel for unusual script tags or payloads in the Tax Rates section can help detect attempts.'}, {'type': 'paragraph', 'content': 'Specific commands are not provided in the resources, but you can use web application scanning tools or manual inspection via the admin interface to review the Tax Rates names.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade Craft Commerce to a patched version: 4.10.1 or later if using the 4.x branch, or 5.5.2 or later if using the 5.x branch.'}, {'type': 'paragraph', 'content': 'Until the upgrade is applied, restrict access to the Store Management section to trusted administrators only, as exploitation requires permissions to manage store settings and taxes.'}, {'type': 'paragraph', 'content': "Additionally, monitor and audit the Tax Rates 'Name' fields for suspicious or unexpected JavaScript payloads and remove any malicious entries."}, {'type': 'paragraph', 'content': 'Educate administrators to be cautious of unexpected login modals or session expiration prompts that could be part of an XSS attack.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
[{'type': 'paragraph', 'content': "The vulnerability allows attackers to execute malicious JavaScript in an administrator's browser, potentially leading to privilege escalation and unauthorized access to administrative functions."}, {'type': 'paragraph', 'content': 'Such unauthorized access and privilege escalation can result in exposure or manipulation of sensitive data, which may violate data protection regulations like GDPR and HIPAA that require strict controls over access to personal and health information.'}, {'type': 'paragraph', 'content': 'Additionally, the ability to trick administrators into submitting credentials via a fake login modal could lead to credential compromise, further increasing the risk of non-compliance with security standards.'}] [1]