CVE-2026-25483 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79 affecting Craft Commerce, an ecommerce platform built on Craft CMS. The flaw exists in the Order Status History Message feature, where messages are rendered using the |md filter that permits raw HTML content. This improper neutralization of input allows an attacker to inject malicious scripts that execute in the context of users viewing the order status history. Notably, the vulnerability can be exploited by users possessing database backup utility permissions, which do not require elevated session privileges, making exploitation easier. Successful exploitation enables attackers to exfiltrate the entire database, including sensitive information such as user credentials, personally identifiable information (PII), order histories, and two-factor authentication (2FA) recovery codes. The vulnerability affects Craft Commerce versions from 4.0.0-RC1 up to but not including 4.10.1, and from 5.0.0 up to but not including 5.5.2. The vendor has released patches in versions 4.10.1 and 5.5.2 to address this issue. The CVSS 4.0 vector indicates a network attack vector with low complexity, no privileges required, but user interaction is necessary, and the scope is limited to the vulnerable component. No public exploits have been reported yet, but the potential impact on confidentiality and integrity is significant due to the sensitive nature of the data accessible through exploitation.

For European organizations using affected versions of Craft Commerce, this vulnerability poses a significant risk of data breach and account compromise. The ability to exfiltrate the entire database, including user credentials, customer PII, order history, and 2FA recovery codes, threatens confidentiality and integrity of critical business and customer data. This can lead to financial loss, reputational damage, regulatory penalties under GDPR due to exposure of personal data, and operational disruption. Attackers exploiting this flaw could impersonate users, escalate privileges, or conduct further attacks using stolen credentials and recovery codes. The fact that exploitation requires only database backup utility permissions, which are not highly privileged, increases the attack surface. Given the ecommerce nature of Craft Commerce, attacks could also impact transaction integrity and customer trust. The medium CVSS score reflects moderate ease of exploitation but significant impact, emphasizing the need for timely remediation.

European organizations should immediately upgrade Craft Commerce installations to versions 4.10.1 or later in the 4.x series, or 5.5.2 or later in the 5.x series, where the vulnerability is patched. Until patching is possible, restrict database backup utility permissions to trusted administrators only, and audit existing permissions to ensure no unnecessary users have this access. Implement strict input validation and sanitization on order status messages to prevent injection of malicious HTML or scripts. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the application context. Monitor logs for unusual activity related to order status messages and database backup operations. Conduct regular security assessments and penetration testing focused on web input handling and privilege management. Educate staff on the risks of XSS and the importance of least privilege principles. Finally, ensure robust incident response plans are in place to quickly address any suspected exploitation.