GHSA-MQXF-2998-C6CP

Vulnerability from github – Published: 2026-03-10 18:23 – Updated: 2026-03-10 22:55
VLAI?
Summary
Craft Commerce is Vulnerable to Stored XSS while updating Order Status from Orders Table
Details

Summary

A stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur.

Proof of Concept

Required Permissions

  • Admin access (to edit/create Order Statuses)

Steps to Reproduce

  1. Log in with an admin account
  2. Navigate to CommerceSettingsOrder Statuses
  3. Create a new order status
  4. Set the Name field to:
<img src=x onerror="alert('Order Statuses XSS')">
  1. Save the order status
  2. Go to Commerce → Orders (make sure you placed any orders)
  3. From the left panel, select any Order Status (e.g., New)
  4. Select any order from the orders table → Click on the Gear Icon → then click "Update Order Status..."
  5. Notice the XSS execution
Severity ?
1.9 (Low)
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.10.1"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/commerce"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.10.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.5.2"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/commerce"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-29173"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-10T18:23:17Z",
    "nvd_published_at": "2026-03-10T20:16:38Z",
    "severity": "LOW"
  },
  "details": "## Summary\nA stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur.\n\n---\n## Proof of Concept\n### Required Permissions\n- Admin access (to edit/create Order Statuses)\n\n### Steps to Reproduce\n1. Log in with an admin account\n2. Navigate to **Commerce** \u2192 **Settings** \u2192 **Order Statuses**\n3. Create a new order status\n4. Set the **Name** field to:\n```html\n\u003cimg src=x onerror=\"alert(\u0027Order Statuses XSS\u0027)\"\u003e\n```\n5. Save the order status\n6. Go to Commerce \u2192 Orders (make sure you placed any orders)\n7. From the left panel, select any Order Status (e.g., New)\n8. Select any order from the orders table \u2192 Click on the Gear Icon \u2192 then click \"Update Order Status...\"\n9. Notice the XSS execution",
  "id": "GHSA-mqxf-2998-c6cp",
  "modified": "2026-03-10T22:55:16Z",
  "published": "2026-03-10T18:23:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-mqxf-2998-c6cp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29173"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/commerce/commit/60cdc505c03b6fa2f59715e8c060114b66334afa"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/commerce/commit/a2ea853935ef03297ea1298bdb0d8c55ec5daf7b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/craftcms/commerce"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Craft Commerce is Vulnerable to Stored XSS while updating Order Status from Orders Table"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.