Description
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. This vulnerability is fixed in 4.10.2 and 5.5.3.
Published: 2026-03-10
Score: 1.9 Low
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

An order status name entered by an administrator is rendered in the Commerce Orders table without proper escaping. When an admin updates the status of an order, the unescaped value can contain arbitrary JavaScript that is stored and later executed each time the order is viewed. This flaw allows script execution in the context of the Craft Commerce administrative interface.

Affected Systems

Craft Commerce, the ecommerce plugin for Craft CMS, is affected in all releases older than version 4.10.2 and 5.5.3.

Risk and Exploitability

The flaw receives a CVSS score of 1.9, indicating low severity, and an EPSS probability of less than 1%. It is not listed in the CISA KEV catalog. Exploitation requires the attacker to be authenticated and to have permission to edit order statuses, which means the attack vector is local and privileged. While the low severity score reduces overall risk, the ability to execute arbitrary script within the admin interface is a notable security concern.

Generated by OpenCVE AI on April 17, 2026 at 11:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Craft Commerce to version 4.10.2 or 5.5.3, the first releases where the issue is fixed.
  • If an upgrade cannot be performed immediately, restrict the ability to edit order statuses to a minimal set of trusted administrators and monitor for any injected script strings in stored status names.
  • Ensure that order status names are validated and properly escaped before being rendered to prevent stored script injection.

Generated by OpenCVE AI on April 17, 2026 at 11:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mqxf-2998-c6cp Craft Commerce is Vulnerable to Stored XSS while updating Order Status from Orders Table
History

Wed, 11 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Commerce
CPEs cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*
Vendors & Products Craftcms craft Commerce
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms commerce
Vendors & Products Craftcms
Craftcms commerce

Tue, 10 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Description Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. This vulnerability is fixed in 4.10.2 and 5.5.3.
Title Craft Commerce has Stored XSS while updating Order Status from Orders Table
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 1.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P'}

Subscriptions

Craftcms Commerce Craft Commerce
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T20:12:40.044Z

Reserved: 2026-03-04T14:44:00.712Z

Link: CVE-2026-29173

cve-icon Vulnrichment

Updated: 2026-03-10T20:11:50.683Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T20:16:38.383

Modified: 2026-03-11T16:55:37.987

Link: CVE-2026-29173

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T11:45:06Z

Weaknesses