CVE-2026-25522

Name of the Vulnerable Software and Affected Versions Craft Commerce versions 4.0.0-RC1 through 4.10.0 Craft Commerce versions 5.0.0 through 5.5.1

Description Craft Commerce, an ecommerce platform for Craft CMS, contains a stored cross-site scripting (XSS) issue. The vulnerability resides in the Shipping Zone (Name & Description) fields within the Store Management section, which are not adequately sanitized before display in the admin panel. This allows attackers to inject malicious JavaScript code that executes in an administrator’s browser. An attacker could potentially escalate privileges to administrator level by exploiting this issue, especially if an administrator session is already active. The exploit involves crafting a malicious payload, such as <img src=x onerror="alert(document.domain)">, and inserting it into the Shipping Zone Name field via the /admin/commerce/store-management/primary/shippingzones API endpoint. The injected script can then be used to steal administrator credentials through a fake login modal or directly elevate the attacker’s account to administrator privileges using a crafted POST request to the /admin/users/<UserID>/permissions API endpoint, where UserID represents the attacker's user ID. The CRAFT CSRF TOKEN variable is also utilized in the malicious request.

Recommendations Craft Commerce versions 4.0.0-RC1 through 4.10.0 should be updated to version 4.10.1 or later. Craft Commerce versions 5.0.0 through 5.5.1 should be updated to version 5.5.2 or later.