CVE-2026-29173 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79 affecting Craft Commerce, a widely used ecommerce plugin for Craft CMS. The vulnerability arises because the Order Status Name field is not properly escaped when rendered in the Commerce Orders Table interface. An authenticated user with permission to update order statuses can inject malicious JavaScript code into the Order Status Name. When other users, such as administrators or staff, view the orders table, the injected script executes in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions within the CMS environment. The vulnerability affects Craft Commerce versions from 4.0.0 up to but not including 4.10.2, and from 5.0.0 up to but not including 5.5.3. The flaw requires the attacker to have authenticated access with privileges to modify order statuses, and user interaction is necessary for the malicious script to execute (i.e., viewing the affected page). The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required for the attack vector but privileges are required for the vulnerability (PR:H), user interaction required, and low scope impact. No known active exploits have been reported. The vendor has addressed the issue in versions 4.10.2 and 5.5.3 by properly escaping the Order Status Name during rendering, mitigating the risk of script injection.

The primary impact of this vulnerability is the potential for stored XSS attacks within the Craft Commerce administrative interface. Successful exploitation could allow attackers to execute arbitrary JavaScript in the context of other authenticated users, potentially leading to session hijacking, theft of sensitive information, or performing unauthorized actions on behalf of legitimate users. However, the requirement for authenticated access with privileges to update order statuses limits the attack surface to trusted users or compromised accounts. The vulnerability does not affect the confidentiality, integrity, or availability of the underlying server directly but can compromise user sessions and data confidentiality within the CMS environment. Organizations using affected versions of Craft Commerce may face risks of internal account compromise or lateral movement if attackers leverage this vulnerability in combination with other weaknesses. Since no public exploits are known, the immediate risk is low, but the vulnerability should be addressed promptly to prevent potential abuse, especially in environments with multiple administrators or staff members accessing the orders interface.

Organizations should upgrade Craft Commerce to versions 4.10.2 or 5.5.3 or later, where this vulnerability is fixed. Until upgrades can be performed, administrators should restrict permissions to update order statuses to only highly trusted users to reduce the risk of malicious input. Implementing strict input validation and output encoding on all user-supplied data fields within the CMS can further mitigate XSS risks. Additionally, enabling Content Security Policy (CSP) headers can help limit the impact of any injected scripts by restricting script execution sources. Regularly auditing user roles and permissions to minimize privilege exposure and monitoring logs for suspicious activity related to order status updates are recommended. Educating users about the risks of XSS and encouraging cautious behavior when interacting with order management interfaces can also reduce exploitation likelihood. Finally, applying web application firewalls (WAFs) with rules targeting XSS payloads may provide an additional layer of defense.