CVE-2025-54264 is a stored Cross-Site Scripting (XSS) vulnerability identified in Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15, and earlier. The vulnerability arises from insufficient sanitization of user input in certain form fields, allowing a high-privileged attacker to inject malicious JavaScript code that is stored persistently on the server. When other users visit the affected pages containing these fields, the malicious scripts execute within their browsers under the context of the legitimate site. This can lead to session hijacking, theft of sensitive data, and manipulation of site content, thereby compromising confidentiality and integrity. The vulnerability requires the attacker to have high privileges to inject the payload and requires victims to interact by visiting the compromised page. The CVSS v3.1 score of 8.1 reflects a network attack vector, low attack complexity, high privileges required, user interaction needed, changed scope, and high impact on confidentiality and integrity, with no impact on availability. Although no known exploits are currently reported, the vulnerability poses a significant risk to organizations relying on Adobe Commerce for e-commerce operations. The scope change indicates that the vulnerability affects resources beyond the attacker’s initial privileges once exploited. The lack of official patches at the time of reporting necessitates immediate mitigation efforts.

For European organizations, this vulnerability poses a significant risk to e-commerce platforms running Adobe Commerce. Exploitation could lead to session hijacking, unauthorized access to user accounts, and potential data breaches involving customer information, payment details, and business-critical data. The compromise of confidentiality and integrity can damage customer trust, lead to regulatory penalties under GDPR, and disrupt business operations. Since Adobe Commerce is widely used by retailers and service providers across Europe, the impact could be widespread, affecting both large enterprises and SMEs. The requirement for high privileges to inject malicious scripts somewhat limits the attack surface but does not eliminate risk, especially if internal accounts are compromised or insider threats exist. User interaction is required, but social engineering or phishing could facilitate victim visits to malicious pages. The changed scope means that the attacker’s influence extends beyond their initial access, increasing the potential damage. Overall, the vulnerability could lead to financial losses, reputational damage, and legal consequences for affected organizations.

European organizations should immediately assess their Adobe Commerce installations to identify affected versions and prioritize upgrading to patched versions once available. In the interim, implement strict input validation and sanitization on all user-supplied data, especially in form fields vulnerable to script injection. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Use Web Application Firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting Adobe Commerce. Conduct regular security audits and penetration testing focused on XSS vulnerabilities. Limit the number of users with high privileges and enforce strong authentication and access controls to reduce the risk of malicious script injection. Educate users about phishing and social engineering risks to minimize victim interaction with malicious content. Monitor logs and user activity for signs of exploitation attempts or anomalous behavior. Prepare incident response plans specific to web application attacks to enable rapid containment and remediation.