Description
Craft Commerce is an ecommerce platform for Craft CMS. From version 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Methods Name field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in version 5.5.2.
Published: 2026-02-03
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS in Shipping Methods Name field allowing malicious JavaScript execution in an administrator’s browser, potentially leading to privilege escalation
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw where the Shipping Methods Name field in Craft Commerce is not properly escaped before rendering in the admin panel. A malicious payload entered in that field can execute arbitrary JavaScript in any administrator who views the shipping method, enabling actions such as credential theft, session hijacking, or further privileged tampering. The flaw is classified as CWE‑79.

Affected Systems

Craft Commerce, a plugin for Craft CMS, is affected in all releases from version 5.0.0 through 5.5.1. The issue is fixed in version 5.5.2 and later.

Risk and Exploitability

The CVSS score is 6.1, indicating moderate severity. The EPSS score is below 1%, showing a low probability of exploitation in the wild. It is not listed in the CISA KEV catalog. The most likely attack vector is a web‑based interaction where an attacker can create or modify a shipping method with malicious content and then lure an administrator to view it. Successful exploitation requires that an attacker can inject content into the shipping method name field and that an authenticated administrator views the field.

Generated by OpenCVE AI on April 18, 2026 at 14:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Craft Commerce to version 5.5.2 or later to eliminate the flaw.
  • Remove any shipping method names that contain suspicious or untrusted content from the admin panel.
  • Apply output encoding or restrict the ability to edit shipping method names to a trusted subset of administrators.

Generated by OpenCVE AI on April 18, 2026 at 14:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g92v-wpv7-6w22 Craft Commerce has Stored XSS in Shipping Methods Name Field Leading to Potential Privilege Escalation
History

Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Commerce
CPEs cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*
Vendors & Products Craftcms craft Commerce
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Wed, 04 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms commerce
Vendors & Products Craftcms
Craftcms commerce

Tue, 03 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
Description Craft Commerce is an ecommerce platform for Craft CMS. From version 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Methods Name field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in version 5.5.2.
Title Craft Commerce has Stored XSS in Shipping Methods Name Field Leading to Potential Privilege Escalation
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 6.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N'}

Subscriptions

Craftcms Commerce Craft Commerce
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T21:10:12.885Z

Reserved: 2026-02-02T16:31:35.822Z

Link: CVE-2026-25486

cve-icon Vulnrichment

Updated: 2026-02-04T21:10:10.307Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-03T19:16:26.210

Modified: 2026-02-10T18:12:08.720

Link: CVE-2026-25486

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:15:04Z

Weaknesses