Compliance Impact

The provided information does not specify how the stored XSS vulnerability in Craft Commerce directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-25489 is a stored Cross-Site Scripting (XSS) vulnerability in Craft Commerce, an ecommerce platform for Craft CMS. It affects the Name and Description fields of Tax Zones in the admin panel because these fields are not properly sanitized before being displayed.

An attacker with access to the control panel and permissions to manage store settings and taxes can inject malicious JavaScript code into these fields. When an administrator views the Tax Zones page, the malicious script executes in their browser.

This vulnerability can be exploited to execute arbitrary JavaScript, and with more complex payloads, attackers can escalate their privileges to administrator by modifying their user permissions via the admin users API.

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can lead to the execution of malicious JavaScript in an administrator's browser, potentially allowing attackers to hijack admin sessions or perform actions on behalf of the administrator."}, {'type': 'paragraph', 'content': 'More seriously, attackers can escalate their privileges to administrator by exploiting the vulnerability to modify their user permissions, gaining full control over the Craft Commerce platform.'}, {'type': 'paragraph', 'content': 'Attackers can automate the attack by forcing victim logout to trigger re-authentication or by phishing administrator credentials using fake login modals, increasing the risk of compromise.'}] [1]

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your Craft Commerce installation is running a vulnerable version and by inspecting the Tax Zones Name and Description fields for malicious JavaScript payloads.'}, {'type': 'paragraph', 'content': 'Specifically, detection involves verifying the version of Craft Commerce to see if it falls within the affected ranges (4.0.0-RC1 to 4.10.0 and 5.0.0 to 5.5.1).'}, {'type': 'paragraph', 'content': 'You can also manually review or query the database entries for Tax Zones to identify suspicious scripts in the Name or Description fields.'}, {'type': 'list_item', 'content': 'Check Craft Commerce version via the admin panel or command line.'}, {'type': 'list_item', 'content': "Query the database for Tax Zones entries containing suspicious script tags or event handlers, for example using SQL commands like: SELECT id, name, description FROM taxzones WHERE name LIKE '%<script%' OR description LIKE '%<script%' OR name LIKE '%onerror=%' OR description LIKE '%onerror=%';"}, {'type': 'list_item', 'content': 'Manually inspect the Tax Zones page in the admin panel for unexpected JavaScript execution or unusual content in the Name and Description fields.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Craft Commerce to a patched version where this vulnerability is fixed.

• Upgrade to Craft Commerce version 4.10.1 or later if you are on the 4.x branch.
• Upgrade to Craft Commerce version 5.5.2 or later if you are on the 5.x branch.

Additionally, restrict administrative access to trusted users only and monitor for suspicious activity in the admin panel.

Avoid using accounts with elevated privileges for routine tasks to reduce the risk of exploitation.

Useful 0 Not Useful 0