CVE-2026-25484 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in Craft Commerce, an ecommerce extension for Craft CMS. The flaw exists in versions from 4.0.0-RC1 up to 4.10.0 and 5.0.0 up to 5.5.1. Specifically, the vulnerability stems from the improper neutralization of input in the Product Type names field. These names are stored without adequate sanitization and later rendered in the CMS user permissions settings page without escaping, creating a sink for malicious scripts. An attacker with authenticated high privileges can inject malicious JavaScript payloads into Product Type names, which will execute in the browsers of administrators or users managing permissions. The CVSS 4.0 score of 4.8 reflects a medium severity, considering the network attack vector, low attack complexity, no privileges required for exploitation beyond authenticated high privileges, and user interaction needed. The vulnerability does not affect confidentiality, integrity, or availability directly but poses a risk of session hijacking, credential theft, or unauthorized actions via script execution in the context of privileged users. The issue has been addressed in Craft Commerce versions 4.10.1 and 5.5.2 by implementing proper input sanitization and output encoding. No public exploits have been reported, but the vulnerability should be treated seriously due to the potential impact on administrative interfaces.

For European organizations using Craft Commerce within the vulnerable version ranges, this XSS vulnerability could lead to significant security risks. Since the exploit requires authenticated users with high privileges, the threat primarily targets internal users or compromised accounts. Successful exploitation could allow attackers to execute arbitrary scripts in the context of administrative users, potentially leading to session hijacking, unauthorized changes to permissions, or further lateral movement within the CMS environment. This could result in data leakage, unauthorized access to sensitive ecommerce data, or disruption of ecommerce operations. Given the ecommerce context, such attacks could undermine customer trust and lead to regulatory compliance issues under GDPR if personal data is exposed. The medium CVSS score indicates moderate risk, but the impact on critical ecommerce infrastructure and administrative control panels elevates the importance of timely remediation.

European organizations should immediately upgrade Craft Commerce installations to versions 4.10.1 or 5.5.2 or later to apply the official patches. Beyond patching, organizations should conduct a thorough audit of all Product Type names and other user-generated inputs for suspicious content. Implement strict input validation and output encoding policies within the CMS and ecommerce platform to prevent injection of malicious scripts. Limit the number of users with high privileges to reduce the attack surface and enforce strong authentication mechanisms such as multi-factor authentication (MFA). Regularly monitor CMS logs and user activity for anomalous behavior indicative of exploitation attempts. Additionally, consider deploying Content Security Policy (CSP) headers to restrict script execution sources and reduce the impact of potential XSS attacks. Training administrators and developers on secure coding and input handling practices will further reduce future risks.