Craft Commerce, Stored DOM XSS Vulnerability (Critical)

Listen to this Post

The vulnerability is a stored DOM-based cross-site scripting (XSS) in the Recent Orders dashboard widget of Craft Commerce. It arises from unsanitized JavaScript string concatenation when rendering Order Status Names. Specifically, in the file vendor/craftcms/commerce/src/templates/_components/widgets/orders/recent/body.twig, the `value.name` parameter is directly inserted into HTML without proper escaping. When an admin user creates a malicious order status with script payloads in the name field, this input is stored in the database. Upon loading the dashboard with the Recent Orders widget, JavaScript callback functions concatenate the `value.name` into DOM elements without using Craft.escapeHtml(). This allows arbitrary HTML and JavaScript to be executed in the context of the admin dashboard, leading to full script execution whenever any admin views the widget. The attack requires admin privileges to create the malicious order status, but once stored, it affects all admins accessing the dashboard. The issue is rooted in the lack of output encoding in the client-side rendering process, making it a classic DOM XSS flaw where user-controlled data flows directly into `innerHTML` or similar DOM manipulation.
Platform: Craft Commerce
Version: Prior to 5.5.2
Vulnerability: Stored DOM XSS
Severity: Critical
Date: Not disclosed

Prediction: Patched in 5.5.2

What Undercode Say:

Analytics

!/bin/bash

Check Craft Commerce version

composer show craftcms/commerce | grep version

Verify if vulnerable version

if [[ “$version” < “5.5.2” ]]; then echo “Vulnerable”; fi

Sample vulnerable code from body.twig

callback: function(value) {

return ‘‘ + value.name + ‘‘;
}

Patched code with escaping

callback: function(value) {

return ‘‘ + Craft.escapeHtml(value.name) + ‘‘;
}

How Exploit:

  • Admin login.
  • Create malicious order status.
  • Add Recent Orders widget.
  • Trigger XSS on dashboard.

Protection from this CVE

Update to 5.5.2.

Use Craft.escapeHtml().

Input sanitization.

Impact:

Admin script execution.

Dashboard compromise.

Potential data theft.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top