Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-25522 is a stored Cross-Site Scripting (XSS) vulnerability in Craft Commerce affecting the Shipping Zone "Name" and "Description" fields within the Store Management section.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because these fields are not properly sanitized before being displayed in the administrator control panel, allowing attackers to inject and execute arbitrary JavaScript in an admin’s browser.'}, {'type': 'paragraph', 'content': 'An attacker with access to the control panel and permissions to manage store settings can insert malicious scripts into these fields, which then execute when viewed by an administrator.'}, {'type': 'paragraph', 'content': 'This can lead to privilege escalation by using crafted payloads to grant the attacker full administrator rights.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary JavaScript code in the browser of an administrator who views the affected Shipping Zone fields.

Potential impacts include theft of administrator session tokens, unauthorized actions performed with administrator privileges, and privilege escalation to gain full administrator control.

An attacker can automate the attack by forcing administrator logout and triggering the malicious script upon re-login or by phishing administrator credentials using fake login modals.

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by verifying if the Craft Commerce installation is running a vulnerable version (from 4.0.0-RC1 to 4.10.0 or from 5.0.0-RC1 to 5.5.1) and by checking if the Shipping Zone "Name" and "Description" fields in the Store Management section accept and render unsanitized input.'}, {'type': 'paragraph', 'content': 'A practical detection method involves attempting to inject a benign XSS payload into the Shipping Zone Name field and observing if it executes in the administrator control panel.'}, {'type': 'list_item', 'content': 'Log into the admin panel with appropriate permissions.'}, {'type': 'list_item', 'content': 'Navigate to Commerce → Store Management → Shipping Zones.'}, {'type': 'list_item', 'content': 'Create or edit a shipping zone and input a test payload such as `<img src=x onerror="alert(document.domain)">` in the Name or Description field.'}, {'type': 'list_item', 'content': 'Save the changes and observe if the JavaScript alert executes when the page reloads.'}, {'type': 'paragraph', 'content': 'No specific network commands are provided in the resources, but detection relies on verifying the presence of the vulnerability through the admin interface as described.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Craft Commerce to a patched version where this vulnerability is fixed.

• Upgrade to version 4.10.1 or later if using the 4.x series.
• Upgrade to version 5.5.2 or later if using the 5.x series.

Additionally, restrict access to the Store Management section to trusted administrators only and monitor for suspicious activity, especially any unexpected changes in Shipping Zone fields.

Consider reviewing administrator sessions and enforcing logout and re-login to invalidate any active sessions that might be exploited.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify how the stored XSS vulnerability in Craft Commerce directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0