CVE-2026-25485 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79 that impacts Craft Commerce, an ecommerce platform integrated with Craft CMS. The vulnerability exists in versions from 4.0.0-RC1 up to 4.10.0 and from 5.0.0 up to 5.5.1. The root cause is the improper neutralization of input fields—specifically the Shipping Categories' Name and Description fields within the Store Management section of the admin panel. These fields are not properly sanitized before rendering, allowing an attacker to inject malicious JavaScript code that is stored and later executed in the context of an administrator's browser session. This stored XSS can lead to session hijacking, privilege escalation, or unauthorized actions performed with administrative privileges. Exploitation does not require prior authentication but does require that an attacker can submit crafted input that will be viewed by an administrator, implying some level of user interaction. The vulnerability has been addressed and patched in Craft Commerce versions 4.10.1 and 5.5.2. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:H but with user interaction UI:P), and scope change (SI:H), resulting in a medium severity score of 6.2. No known exploits have been reported in the wild as of the publication date. This vulnerability highlights the importance of proper input validation and output encoding in web applications, especially in administrative interfaces where the impact of exploitation is higher.

For European organizations using Craft Commerce within their ecommerce infrastructure, this vulnerability poses a significant risk to the confidentiality and integrity of administrative sessions and data. Successful exploitation could allow attackers to execute arbitrary JavaScript in the administrator's browser, potentially leading to session hijacking, theft of sensitive credentials, unauthorized modification of ecommerce settings, or insertion of malicious content affecting customers. This could result in financial losses, reputational damage, and regulatory non-compliance, especially under GDPR requirements for data protection. Since the vulnerability affects administrative interfaces, the impact on availability is lower but indirect effects such as administrative lockout or platform manipulation could occur. The medium severity rating reflects that while exploitation requires some user interaction and administrative access to the interface, the ease of injection and potential consequences warrant prompt remediation. European ecommerce businesses, particularly those with high transaction volumes or handling sensitive customer data, should consider this vulnerability a priority to mitigate.

European organizations should immediately upgrade Craft Commerce installations to versions 4.10.1 or 5.5.2 or later, where the vulnerability is patched. Until upgrades can be applied, administrators should restrict access to the Store Management section to trusted personnel only and monitor for suspicious input in Shipping Categories fields. Implementing Web Application Firewalls (WAFs) with rules to detect and block common XSS payloads targeting these fields can provide temporary protection. Additionally, organizations should audit existing Shipping Categories entries for suspicious or unexpected script content and sanitize or remove them. Enforcing Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Regular security training for administrators to recognize phishing or social engineering attempts that might lead to viewing malicious inputs is also recommended. Finally, integrating automated scanning tools to detect XSS vulnerabilities in administrative interfaces can help identify similar issues proactively.