CVE-2026-25483 is a stored cross-site scripting (XSS) vulnerability identified in Craft Commerce, an ecommerce platform built on Craft CMS. The vulnerability affects versions from 4.0.0-RC1 up to 4.10.0 and from 5.0.0 up to 5.5.1. The root cause lies in the Order Status History Message feature, which uses the |md filter to render messages. This filter permits raw HTML content, which allows an attacker to inject malicious scripts that execute in the context of users viewing the order status history. The exploitation scenario requires the attacker to have database backup utility permissions, which notably do not require an elevated session or administrative privileges, lowering the barrier to exploitation. By leveraging this XSS, an attacker can execute scripts that exfiltrate sensitive data, including the entire database containing user credentials, customer personally identifiable information (PII), order histories, and two-factor authentication (2FA) recovery codes. This level of access can lead to full account compromise and data breaches. The vulnerability has been addressed and patched in Craft Commerce versions 4.10.1 and 5.5.2. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no authentication required (AT:N), but some privileges needed (PR:L), and user interaction required (UI:P). The scope is limited (SI:L), with no impact on confidentiality, integrity, or availability metrics directly (VC:N/VI:N/VA:N), but the overall impact is significant due to data exposure. No known exploits have been reported in the wild as of the publication date. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation leading to XSS.

For European organizations using affected versions of Craft Commerce, this vulnerability poses a significant risk of data breach and account compromise. The ability to exfiltrate the entire database means that sensitive customer data, including PII and 2FA recovery codes, can be stolen, potentially leading to identity theft, fraud, and unauthorized access to user accounts. Ecommerce businesses relying on Craft Commerce may suffer reputational damage, regulatory penalties under GDPR for inadequate data protection, and operational disruption. The fact that database backup permissions do not require elevated privileges increases the risk that internal users or attackers who gain limited access can exploit this vulnerability. This could lead to widespread data leakage across multiple clients or customers. Additionally, the stored XSS could be used to pivot attacks within the organization’s network or to deliver further malware payloads. The medium CVSS score reflects the need for some privileges and user interaction, but the high impact on confidentiality and potential regulatory consequences make this a critical concern for data-sensitive ecommerce operations in Europe.

1. Immediately upgrade Craft Commerce installations to versions 4.10.1 or 5.5.2 or later, where the vulnerability is patched. 2. Audit and restrict database backup utility permissions to only trusted administrators; avoid granting these permissions broadly or to non-administrative users. 3. Implement strict input validation and output encoding on all user-supplied content, especially in order status messages, to prevent injection of raw HTML or scripts. 4. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the web application context. 5. Monitor logs for unusual activity related to order status messages or database backup operations to detect potential exploitation attempts. 6. Conduct regular security reviews and penetration testing focusing on web application input handling and privilege management. 7. Educate staff about the risks of granting excessive permissions and the importance of applying security patches promptly. 8. Consider isolating the database backup functionality behind additional authentication or network segmentation to reduce exposure.