Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-wqc5-485v-3hqh

Опубликовано: 02 фев. 2026
Источник: github
Github: Прошло ревью
CVSS4: 6.1

Описание

Craft CMS has Stored XSS in Tax Rates Name Leading to Potential Privilege Escalation

Summary

A stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Rates 'Name' field in the Store Management section is not properly sanitized before being displayed in the admin panel.

Proof of Concept

Requirments

  • General permissions:
    • Access the control panel
    • Access Craft Commerce
  • Craft Commerce permissions:
    • Manage store settings
    • Manage taxes
  • An active administrator elevated session

Steps to Reproduce

  1. Log in to the Admin Panel with the attacker account with the permissions mentioned above.
  2. Navigate to Commerce -> Store Management -> Tax Rates (/admin/commerce/store-management/primary/taxrates).
  3. Create a new tax rate.
  4. In the Name field, enter the following payload:
<img src=x onerror="alert(document.domain)">
  1. Pick or create a Tax Category since it’s required to save the tax rate.
  2. Click Save and you’ll be redirected back to the previous page.
  3. Notice the alert proving JavaScript execution. poc-alert

Privilege Escalation to Administrator:

  1. Do the same steps above, but replace the payload with a malicious one.
  2. The following payload elevates the attacker’s account to Admin if there’s already an elevated session, replace the <UserID> with your attacker id:
<img src=x onerror="fetch('/admin/users/<UserID>/permissions',{method:'POST',body:`CRAFT_CSRF_TOKEN=${Craft.csrfTokenValue}&userId=<UserID>&admin=1&action=users/save-permissions`,headers:{'content-type':'application/x-www-form-urlencoded'}})">
  1. In another browser, log in as an admin & go to the vulnerable page (tax rates page).
  2. Go back to your attacker account & notice you are now an admin.

The privilege escalation requires an elevated session. In a real-world scenario, an attacker can automate the process by forcing a logout if the victim’s session is stale; upon re-authentication, the stored XSS payload executes within a fresh elevated session to complete the attack.

Or even easier (and smarter), an attacker (using the XSS) can create a fake 'Session Expired' login modal overlay. Since it's on the trusted domain, administrators will likely enter their credentials, sending them directly to the attacker.

Resources:

https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee

Ссылки

Пакеты

Наименование

craftcms/commerce

composer
Затронутые версииВерсия исправления

>= 5.0.0-RC1, <= 5.5.1

5.5.2

Наименование

craftcms/commerce

composer
Затронутые версииВерсия исправления

>= 4.0.0-RC1, <= 4.10.0

4.10.1

EPSS

Процентиль: 13%
0.00043
Низкий

6.1 Medium

CVSS4

CVE ID

CVE-2026-25487

Дефекты

CWE-79

Связанные уязвимости

nvd логотип

CVE-2026-25487

nvd
4 дня назад

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Rates 'Name' field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.

EPSS

Процентиль: 13%
0.00043
Низкий

6.1 Medium

CVSS4

CVE ID

CVE-2026-25487

Дефекты

CWE-79