CVE-2026-25488 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Craft Commerce plugin for Craft CMS, affecting versions from 4.0.0-RC1 up to 4.10.0 and from 5.0.0 up to 5.5.1. The vulnerability stems from improper neutralization of input in the Tax Categories fields (Name and Description) within the Store Management section of the administrative interface. Specifically, these fields do not adequately sanitize user-supplied input before rendering it in the admin panel, enabling an attacker with access to create or modify tax categories to inject malicious JavaScript code. When an administrator views the affected page, the injected script executes in their browser context, potentially allowing session hijacking, privilege escalation, or other malicious actions within the admin interface. Exploitation requires the attacker to have at least high privileges (e.g., a user with rights to modify tax categories) and some user interaction (the admin must view the malicious content). The vulnerability does not require bypassing authentication or compromising confidentiality, integrity, or availability of the system directly but can lead to indirect compromise through administrative session hijacking or manipulation. The issue has been addressed in Craft Commerce versions 4.10.1 and 5.5.2 by implementing proper input sanitization and output encoding. No public exploits have been reported to date, but the medium CVSS score of 6.1 reflects the moderate risk due to the administrative context and stored nature of the XSS. Organizations running affected versions should upgrade promptly to mitigate risk.

For European organizations, this vulnerability poses a significant risk primarily to ecommerce platforms using Craft Commerce integrated with Craft CMS. Successful exploitation can lead to administrative account compromise through session hijacking or execution of arbitrary scripts in the admin context, potentially allowing attackers to manipulate store configurations, access sensitive customer data, or disrupt ecommerce operations. Given the administrative scope, the impact on confidentiality and integrity is moderate but could escalate if attackers leverage the access to deploy further attacks or extract sensitive information. Availability impact is minimal unless attackers use the access to disrupt services. The threat is particularly relevant for organizations with complex ecommerce operations relying on Craft Commerce for tax management and store configuration. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often target ecommerce platforms. The medium severity rating suggests that while the vulnerability is not critical, it warrants timely remediation to prevent exploitation in environments where administrative access is valuable.

European organizations should immediately upgrade Craft Commerce to versions 4.10.1 or 5.5.2 or later to apply the official patch addressing this XSS vulnerability. Until patching is possible, organizations should restrict administrative access to trusted personnel only and implement network-level controls such as IP whitelisting or VPN access for the admin panel to reduce exposure. Additionally, enabling Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Regularly auditing and sanitizing user-generated content in tax categories and other input fields can reduce the risk of malicious input. Monitoring administrative logs for unusual activity or unexpected changes to tax categories can provide early detection of exploitation attempts. Finally, educating administrators about the risks of clicking on suspicious links or viewing untrusted content within the admin panel can reduce the likelihood of successful exploitation.