Critical Vulnerability Information Vulnerability Overview Vulnerability Type: Stored XSS Affected Module: Tax Zones (Name and Description fields) Risk Level: Medium CVE ID: CVE-2026-25489 Affected Versions Affected Versions: - >= 5.0.0-RC1, = 4.0.0-RC1, <= 4.10.0 Fixed Versions: - 5.5.2 - 4.10.1 Vulnerability Description Root Cause: When displaying the name and description fields for Tax Zones in the admin panel, input is not properly sanitized, allowing malicious JavaScript code to be executed. Potential Threat: Could lead to privilege escalation. Exploitation Requirements Required Permissions: - Access to the control panel - Access to Craft Commerce - Manage store settings - Manage taxes Requires an active privilege-escalation session. Exploitation Steps 1. Log in to the admin panel using an attacker account with the above permissions. 2. Navigate to Commerce → Store Management → Tax Zones. 3. Create a new tax zone. 4. Enter a specific payload in the name or description field, for example: 5. Click Save; you will be redirected back to the previous page. 6. Observe the alert popup, confirming JavaScript execution. Privilege Escalation to Admin 1. Repeat the above steps, but replace the payload with malicious content. 2. Use the following payload to escalate the attacker’s account to admin privileges (replace with the attacker’s user ID if an escalation session exists): Privilege escalation requires an escalation session. In a real environment, an attacker can force a logout if the victim’s session is idle, then complete the attack; after re-authentication, the stored XSS payload will execute within the fresh escalated session. Alternatively, and more cleverly, the attacker can use XSS to create a fake “Session Expired” login overlay. Since it’s on a trusted domain, the admin is likely to enter their credentials, which are then directly sent to the attacker.