Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-p6w8-q63m-72c8

Опубликовано: 02 фев. 2026
Источник: github
Github: Прошло ревью
CVSS4: 6.1

Описание

Craft Commerce has Stored XSS in Tax Categories (Name & Description) Fields Leading to Potential Privilege Escalation

Summary

A stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Tax Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel.

Proof of Concept

Requirments

  • General permissions:
    • Access the control panel
    • Access Craft Commerce
  • Craft Commerce permissions:
    • Manage store settings
    • Manage taxes
  • An active administrator elevated session

Steps to Reproduce

  1. Log in to the Admin Panel with the attacker account with the permissions mentioned above.
  2. Navigate to Commerce -> Store Management -> Tax Categories (/admin/commerce/store-management/primary/taxcategories).
  3. Create a new tax category.
  4. In the Name or Description field, enter the following payload:
<img src=x onerror="alert(document.domain)">
  1. Click Save and you'll be redirected back to the previous page.
  2. Notice the alert proving JavaScript execution.

Privilege Escalation to Administrator:

  1. Do the same steps above, but replace the payload with a malicious one.
  2. The following payload elevates the attacker’s account to Admin if there’s already an elevated session, replace the <UserID> with your attacker id:
<img src=x onerror="fetch('/admin/users/<UserID>/permissions',{method:'POST',body:`CRAFT_CSRF_TOKEN=${Craft.csrfTokenValue}&userId=<UserID>&admin=1&action=users/save-permissions`,headers:{'content-type':'application/x-www-form-urlencoded'}})">
  1. In another browser, log in as an admin & go to the vulnerable page (tax categories page).
  2. Go back to your attacker account & notice you are now an admin.

The privilege escalation requires an elevated session. In a real-world scenario, an attacker can automate the process by forcing a logout if the victim’s session is stale; upon re-authentication, the stored XSS payload executes within a fresh elevated session to complete the attack.

Or even easier (and smarter), an attacker (using the XSS) can create a fake 'Session Expired' login modal overlay. Since it’s on the trusted domain, administrators will likely enter their credentials, sending them directly to the attacker.

References:

https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee

Ссылки

Пакеты

Наименование

craftcms/commerce

composer
Затронутые версииВерсия исправления

>= 5.0.0-RC1, <= 5.5.1

5.5.2

Наименование

craftcms/commerce

composer
Затронутые версииВерсия исправления

>= 4.0.0-RC1, <= 4.10.0

4.10.1

EPSS

Процентиль: 13%
0.00043
Низкий

6.1 Medium

CVSS4

CVE ID

CVE-2026-25488

Дефекты

CWE-79

Связанные уязвимости

nvd логотип

CVE-2026-25488

nvd
4 дня назад

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Tax Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.

EPSS

Процентиль: 13%
0.00043
Низкий

6.1 Medium

CVSS4

CVE ID

CVE-2026-25488

Дефекты

CWE-79