Craft Commerce Stored XSS Leading to Privilege Escalation (CVE-2026-25490)

This webpage screenshot provides a detailed description of a stored XSS vulnerability discovered in Craft Commerce, which could lead to privilege escalation. Below are the key vulnerability details extracted from the screenshot: Vulnerability Type: Stored Cross-Site Scripting (XSS) Affected Package: (Composer) Affected Versions: - >= 5.0.0-RC1, = 4.0.0-RC1, <= 4.10.0 Fixed Versions: - 5.5.2 - 4.10.1 CVE ID: CVE-2026-25490 Weakness Type: CWE-79 Vulnerability Description: In Craft Commerce, the 'Address Line 1' field in Inventory Locations is not properly sanitized before being displayed, allowing attackers to execute malicious JavaScript code, potentially affecting the administrator’s browser. Exploitation Requirements: - General Permissions: Access to the control panel and access to Craft Commerce. - Craft Commerce Permissions: Manage Inventory Locations. - Others: A valid privilege escalation session. Proof of Concept (PoC) & Steps: An authorized user must log in to the control panel, navigate to Commerce → Inventory Locations, and input a malicious payload (e.g., ) into the Address Line 1 field to trigger the vulnerability, resulting in an alert box confirming JavaScript execution. Privilege Escalation to Admin: - Using a malicious payload, if an escalation session exists, an attacker can modify to their own user ID in a payload such as: This can elevate the attacker’s account to admin privileges. - Log in with an admin account in another browser and access the vulnerable page (Inventory Location page). - Return to the attacker’s account and observe that they have been escalated to admin. Exploitation Scenario Application: In real-world scenarios, an attacker could automatically log out the victim, causing their session to expire. When the victim re-authenticates, the stored XSS payload executes in the new session, completing the attack. Alternatively, a more sophisticated approach involves creating a fake “Session Expired” login modal overlay. Since it appears on a trusted domain, the administrator may unknowingly enter their credentials, handing them over to the attacker. Vulnerability Reporter: mHe4am

Goal Reached Thanks to every supporter — we hit 100%!

Craft Commerce Stored XSS Leading to Privilege Escalation (CVE-2026-25490)

More from this source