PT-2026-24630 · Packagist · Craftcms/Commerce
Published
2026-03-10
·
Updated
2026-03-10
CVSS v4.0
1.9
Low
| Vector | AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Summary
A stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur.
Proof of Concept
Required Permissions
- Admin access (to edit/create Order Statuses)
Steps to Reproduce
- Log in with an admin account
- Navigate to Commerce → Settings → Order Statuses
- Create a new order status
- Set the Name field to:
html
<img src=x onerror="alert('Order Statuses XSS')">- Save the order status
- Go to Commerce → Orders (make sure you placed any orders)
- From the left panel, select any Order Status (e.g., New)
- Select any order from the orders table → Click on the Gear Icon → then click "Update Order Status..."
- Notice the XSS execution
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Craftcms/Commerce