CVE-2026-25487 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79 affecting Craft Commerce, an ecommerce platform built on Craft CMS. The flaw exists in versions from 4.0.0-RC1 up to 4.10.0 and 5.0.0 up to 5.5.1, where the Tax Rates 'Name' field in the Store Management section is not properly sanitized before rendering in the administrative interface. This improper neutralization of input allows an attacker with administrative privileges to inject malicious JavaScript code that is stored and later executed in the context of an administrator's browser session. Because the vulnerability is stored, the malicious script persists and can affect any administrator who views the compromised field. The attack vector requires authenticated access with high privileges (administrator) and some user interaction (viewing the affected page). The impact includes potential session hijacking, unauthorized actions, data theft, or further compromise of the administrative environment. The vulnerability has been addressed in Craft Commerce versions 4.10.1 and 5.5.2 by properly sanitizing the input in the Tax Rates 'Name' field. The CVSS v4.0 score of 6.1 reflects a medium severity, considering the network attack vector, low attack complexity, no privileges required for attack initiation (though high privileges are needed), and user interaction. No known exploits are reported in the wild as of the published date.

For European organizations using Craft Commerce within the affected version ranges, this vulnerability poses a significant risk to the confidentiality and integrity of their ecommerce administrative environments. Exploitation could lead to unauthorized administrative actions, theft of sensitive customer or business data, and potential disruption of ecommerce operations. Given that the vulnerability requires administrator-level access, the threat is primarily from insider threats or attackers who have already compromised lower-level credentials. However, successful exploitation could escalate privileges or facilitate further attacks. The persistence of malicious scripts in the admin panel increases the risk of widespread compromise if multiple administrators access the affected interface. This could undermine trust in the ecommerce platform, lead to financial losses, and damage brand reputation. The medium severity rating suggests that while the vulnerability is serious, it is not trivially exploitable by remote unauthenticated attackers, somewhat limiting the scope of impact.

European organizations should immediately upgrade Craft Commerce installations to versions 4.10.1 or 5.5.2 or later, where the vulnerability is patched. Until upgrades are possible, administrators should restrict access to the Store Management section to trusted personnel only and monitor for unusual activity. Input validation and sanitization should be enforced at the application level, especially for fields that are rendered in administrative interfaces. Implement Content Security Policy (CSP) headers to reduce the impact of potential XSS attacks by restricting the execution of unauthorized scripts. Conduct regular security audits and penetration testing focusing on administrative interfaces. Educate administrators about the risks of XSS and the importance of cautious interaction with user-generated content. Additionally, review logs for suspicious input in the Tax Rates 'Name' field and remove any suspicious entries. Employ multi-factor authentication (MFA) for administrative accounts to reduce the risk of credential compromise.