Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-25490 is a stored Cross-Site Scripting (XSS) vulnerability in Craft Commerce affecting versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1. The vulnerability occurs because the 'Address Line 1' field in Inventory Locations is not properly sanitized before being displayed in the admin panel."}, {'type': 'paragraph', 'content': 'An attacker with access to the control panel and permissions to manage inventory locations can inject malicious JavaScript code into this field. When an administrator views the Inventory Locations page, the injected script executes in their browser.'}, {'type': 'paragraph', 'content': 'This can be exploited to perform actions such as privilege escalation by sending crafted requests to grant the attacker administrative rights, leveraging an active elevated session or tricking the administrator into re-authenticating.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to execute malicious JavaScript in an administrator’s browser, potentially leading to privilege escalation.

• An attacker can inject a payload that, when executed by an administrator, can elevate the attacker’s own account to administrator status.
• The attacker can gain unauthorized administrative control over the Craft Commerce platform.
• This can lead to further compromise of the ecommerce platform, including unauthorized access to sensitive data and administrative functions.

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by checking if the Craft Commerce installation is running a vulnerable version (from 4.0.0-RC1 to 4.10.0 or from 5.0.0 to 5.5.1) and by testing if the 'Address Line 1' field in Inventory Locations is susceptible to stored XSS payloads."}, {'type': 'paragraph', 'content': 'A practical detection method is to attempt injecting a harmless XSS payload such as `<img src=x onerror="alert(document.domain)">` into the \'Address Line 1\' field in Inventory Locations via the admin control panel. After saving, if the script executes when viewing the Inventory Locations page, the system is vulnerable.'}, {'type': 'paragraph', 'content': "There are no specific network commands provided to detect this vulnerability, as it requires interaction with the web application's admin interface and permissions to manage inventory locations."}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade Craft Commerce to a patched version: 4.10.1 or later for the 4.x series, or 5.5.2 or later for the 5.x series.'}, {'type': 'paragraph', 'content': 'Until the upgrade can be performed, restrict access to the admin control panel and inventory location management to trusted users only, as exploitation requires permissions to manage inventory locations.'}, {'type': 'paragraph', 'content': "Additionally, monitor for suspicious activity in the admin panel and consider implementing web application firewall (WAF) rules to detect or block attempts to inject JavaScript payloads into the 'Address Line 1' field."}] [1]

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify how this stored XSS vulnerability in Craft Commerce directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0