CVE-2026-25482 is a stored DOM-based Cross-Site Scripting vulnerability classified under CWE-79, found in Craft Commerce, an ecommerce platform built on Craft CMS. The vulnerability affects versions from 4.0.0-RC1 up to 4.10.0 and 5.0.0 up to 5.5.1. The issue arises in the "Recent Orders" dashboard widget, where the Order Status Name is incorporated into the page using JavaScript string concatenation without proper input sanitization or escaping. This improper neutralization of input allows an attacker to inject malicious JavaScript code that executes in the context of an administrator's browser when they access the dashboard. Because the vulnerability is stored, the malicious payload persists and can affect multiple admin users. Exploitation requires an attacker with the ability to influence order status names, which typically implies some level of authenticated access or manipulation of order data. The vulnerability does not require authentication bypass but does require the victim to be an admin who visits the dashboard widget. The impact includes potential session hijacking, privilege escalation, or further exploitation of the administrative interface. The vulnerability has been addressed in Craft Commerce versions 4.10.1 and 5.5.2 by implementing proper escaping and input validation. No known public exploits have been reported to date. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required (though the vector states PR:H, meaning high privileges required, which aligns with admin access), user interaction required, and high scope impact on confidentiality, integrity, and availability.

For European organizations using Craft Commerce within their ecommerce infrastructure, this vulnerability poses a significant risk to administrative account security and overall platform integrity. Successful exploitation could lead to execution of arbitrary scripts in admin browsers, enabling session hijacking, theft of sensitive data, or unauthorized actions within the ecommerce system. This could disrupt business operations, lead to data breaches involving customer and order information, and damage organizational reputation. Given the ecommerce context, financial fraud or manipulation of orders is also a potential consequence. The requirement for admin privileges limits the attack surface but does not eliminate risk, especially in environments with multiple administrators or where order status inputs can be influenced by external actors. The vulnerability's presence in widely used versions means many European businesses may be exposed if they have not applied patches. The medium CVSS score reflects moderate impact but should be treated seriously due to the administrative context and potential for chained attacks.

European organizations should immediately verify their Craft Commerce version and upgrade to at least 4.10.1 or 5.5.2 to apply the official patch. Until patched, administrators should avoid accessing the "Recent Orders" dashboard widget or restrict access to trusted personnel only. Implement Content Security Policy (CSP) headers to reduce the impact of injected scripts by limiting script execution sources. Review and sanitize all inputs that can influence order status names, including those originating from customers or third-party integrations. Conduct regular audits of administrative accounts and monitor for unusual dashboard activity. Employ web application firewalls (WAFs) with rules targeting XSS payloads specific to Craft Commerce patterns. Additionally, educate administrators about the risks of clicking unknown or suspicious links that could trigger stored XSS payloads. Finally, maintain an incident response plan to quickly address any signs of compromise related to this vulnerability.