Listen to this Post
The vulnerability is a stored DOM-based cross-site scripting (XSS) in the Recent Orders dashboard widget of Craft Commerce. It arises from unsanitized JavaScript string concatenation when rendering Order Status Names. Specifically, in the file vendor/craftcms/commerce/src/templates/_components/widgets/orders/recent/body.twig, the `value.name` parameter is directly inserted into HTML without proper escaping. When an admin user creates a malicious order status with script payloads in the name field, this input is stored in the database. Upon loading the dashboard with the Recent Orders widget, JavaScript callback functions concatenate the `value.name` into DOM elements without using Craft.escapeHtml(). This allows arbitrary HTML and JavaScript to be executed in the context of the admin dashboard, leading to full script execution whenever any admin views the widget. The attack requires admin privileges to create the malicious order status, but once stored, it affects all admins accessing the dashboard. The issue is rooted in the lack of output encoding in the client-side rendering process, making it a classic DOM XSS flaw where user-controlled data flows directly into `innerHTML` or similar DOM manipulation.
Platform: Craft Commerce
Version: Prior to 5.5.2
Vulnerability: Stored DOM XSS
Severity: Critical
Date: Not disclosed
Prediction: Patched in 5.5.2
What Undercode Say:
Analytics
!/bin/bash
Check Craft Commerce version
composer show craftcms/commerce | grep version
Verify if vulnerable version
if [[ “$version” < “5.5.2” ]]; then echo “Vulnerable”; fi
Sample vulnerable code from body.twig
callback: function(value) {
return ‘‘ + value.name + ‘‘;
}
Patched code with escaping
callback: function(value) {
return ‘‘ + Craft.escapeHtml(value.name) + ‘‘;
}
How Exploit:
- Admin login.
- Create malicious order status.
- Add Recent Orders widget.
- Trigger XSS on dashboard.
Protection from this CVE
Update to 5.5.2.
Use Craft.escapeHtml().
Input sanitization.
Impact:
Admin script execution.
Dashboard compromise.
Potential data theft.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

