Craft Commerce, Stored XSS Vulnerability

Listen to this Post

How the mentioned vulnerability works:

The vulnerability is a stored cross-site scripting (XSS) issue in Craft Commerce. It originates in the Product Type settings within the Commerce module. An attacker with administrative privileges to edit product types can inject malicious JavaScript code into the product type name field. This input is not sanitized upon entry and is stored in the database. The sink occurs in the Craft CMS user permissions settings interface. When an administrator or user with appropriate access views the user permissions page, the unsanitized product type name is rendered directly into the HTML without proper output encoding. This causes the embedded script to execute in the victim’s browser context. The attack requires the attacker to have commerce product type management permissions, typically restricting it to trusted users. However, if such an account is compromised, the injected script can steal session cookies, perform actions as the victim, or deface the admin panel. The vulnerability affects both major version lines 4.x and 5.x of Craft Commerce. The fix involves implementing proper sanitization or output encoding when displaying the product type name in the permissions settings view, preventing script execution.
Platform: Craft Commerce
Version: 5.0.0-5.5.1,4.0.0-RC1-4.10.0
Vulnerability: Stored XSS
Severity: Unspecified
date: Feb 2 2026

Prediction: Patched versions released

What Undercode Say:

Analytics:

  • Check version: `composer show craftcms/commerce`
    – Scan for unsanitized output: `grep -r “productType.name” templates/`
    – Test payload: ``

How Exploit:

1. Edit product type.

2. Inject XSS payload.

3. Trigger via permissions page.

Protection from this CVE

Update to 5.5.2 or 4.10.1.

Impact:

Session hijacking, admin compromise.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top