GHSA-g92v-wpv7-6w22
Suggest an improvement- Source
- https://github.com/advisories/GHSA-g92v-wpv7-6w22
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-g92v-wpv7-6w22/GHSA-g92v-wpv7-6w22.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-g92v-wpv7-6w22
- Aliases
- Published
- 2026-02-02T22:49:55Z
- Modified
- 2026-02-22T23:24:29.047067Z
- Severity
-
- 6.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N CVSS Calculator
- Summary
- Craft Commerce has Stored XSS in Shipping Methods Name Field Leading to Potential Privilege Escalation
- Details
-
Summary
A stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Methods Name field in the Store Management section is not properly sanitized before being displayed in the admin panel.
Proof of Concept
Requirments
- General permissions:
- Access the control panel
- Access Craft Commerce
- Craft Commerce permissions:
- Manage store settings
- Manage shipping
- An active administrator elevated session
Steps to Reproduce
- Log in to the Admin Panel with the attacker account with the permissions mentioned above.
- Navigate to Commerce -> Store Management -> Shipping Methods (
/admin/commerce/store-management/primary/shippingmethods). - Create a new shipping method.
- In the Name field, enter the following payload:
<img src=x onerror="alert(document.domain)"> - Click Save & Go back to the previous page.
- Notice the alert proving JavaScript execution.
Privilege Escalation to Administrator:
- Do the same steps above, but replace the payload with a malicious one.
- The following payload elevates the attacker’s account to Admin if there’s already an elevated session, replace the
<UserID>with your attacker id: <img src=x onerror="fetch('/admin/users/<UserID>/permissions',{method:'POST',body:`CRAFT_CSRF_TOKEN=${Craft.csrfTokenValue}&userId=<UserID>&admin=1&action=users/save-permissions`,headers:{'content-type':'application/x-www-form-urlencoded'}})">In another browser, log in as an admin & go to the vulnerable page (shipping methods page).
- Go back to your attacker account & notice you are now an admin.
The privilege escalation requires an elevated session. In a real-world scenario, an attacker can automate the process by forcing a logout if the victim’s session is stale; upon re-authentication, the stored XSS payload executes within a fresh, elevated session to complete the attack. Or even easier (and smarter), an attacker (using the XSS) can create a fake 'Session Expired' login modal overlay. Since it’s on the trusted domain, administrators will likely enter their credentials, sending them directly to the attacker.
Resources:
https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
- General permissions:
- Database specific
{ "nvd_published_at": "2026-02-03T19:16:26Z", "github_reviewed": true, "cwe_ids": [ "CWE-79" ], "github_reviewed_at": "2026-02-02T22:49:55Z", "severity": "MODERATE" }- References
-
- https://github.com/craftcms/commerce/security/advisories/GHSA-g92v-wpv7-6w22
- https://nvd.nist.gov/vuln/detail/CVE-2026-25486
- https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
- https://github.com/craftcms/commerce
- https://github.com/craftcms/commerce/releases/tag/5.5.2
Affected packages
Packagist / craftcms/commerce
Package
- Name
- craftcms/commerce
- Purl
- pkg:composer/craftcms/commerce