Skip to content

Stored XSS while updating Order Status from Orders Table

Low
angrybrad published GHSA-mqxf-2998-c6cp Mar 9, 2026

Package

composer craftcms/commerce (Composer)

Affected versions

>= 4.0.0 <= 4.10.1
>= 5.0.0 <= 5.5.2

Patched versions

4.10.2
5.5.3

Description

Summary

A stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur.

Proof of Concept

Required Permissions

  • Admin access (to edit/create Order Statuses)

Steps to Reproduce

  1. Log in with an admin account
  2. Navigate to CommerceSettingsOrder Statuses
  3. Create a new order status
  4. Set the Name field to:
<img src=x onerror="alert('Order Statuses XSS')">
  1. Save the order status
  2. Go to Commerce → Orders (make sure you placed any orders)
  3. From the left panel, select any Order Status (e.g., New)
  4. Select any order from the orders table → Click on the Gear Icon → then click "Update Order Status..."
  5. Notice the XSS execution

References

Severity

Low

CVE ID

CVE-2026-29173

Weaknesses

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Learn more on MITRE.

Credits