Platform
php
Component
craftcms/commerce
Opgelost in
4.0.1
5.0.1
4.10.2
A stored Cross-Site Scripting (XSS) vulnerability has been identified in Craft Commerce, specifically within the Order Status management section. This flaw allows an attacker to inject malicious scripts when updating the Order Status Name, potentially leading to unauthorized actions or data theft. The vulnerability affects versions of Craft Commerce up to 4.9.4, and a fix is available in version 4.10.2.
Successful exploitation of CVE-2026-29173 allows an attacker to execute arbitrary JavaScript code in the context of an administrator's session. This could lead to account takeover, data exfiltration (including sensitive customer information), and defacement of the Commerce site. The impact is particularly severe as it targets administrative accounts, granting attackers a high level of control over the entire e-commerce platform. The attack leverages the lack of proper output encoding when rendering the Order Status Name, a common XSS vector. While the CVSS score is LOW, the potential for significant damage to the business and customer trust warrants immediate attention.
This vulnerability was publicly disclosed on 2026-03-10. A proof-of-concept (POC) demonstrating the XSS vulnerability is readily available. As of this writing, there are no reports of active exploitation campaigns targeting CVE-2026-29173, but the ease of exploitation and the potential impact warrant close monitoring. The vulnerability is not currently listed on CISA KEV.
Organizations using Craft Commerce versions 4.9.4 and earlier, particularly those with limited security controls or inadequate input validation practices, are at significant risk. Sites with multiple administrator accounts or those handling sensitive customer data are especially vulnerable.
• php: Examine Craft Commerce application logs for suspicious POST requests to the Order Statuses endpoint with unusual characters in the Name field.
• generic web: Use curl to test the Order Statuses endpoint with a payload like <script>alert('XSS')</script> and observe the response for JavaScript execution.
• wordpress / composer / npm: N/A - This vulnerability is specific to the Craft CMS Commerce plugin.
• database (mysql, redis, mongodb, postgresql): N/A - This vulnerability is not directly exploitable through database queries.
• linux / server: N/A - This vulnerability is specific to the Craft CMS Commerce plugin and its PHP code.
• windows / supply-chain: N/A - This vulnerability is specific to the Craft CMS Commerce plugin and its PHP code.
disclosure
Exploit Status
EPSS
0.01% (1% percentiel)
CISA SSVC
The primary mitigation for CVE-2026-29173 is to upgrade Craft Commerce to version 4.10.2 or later, which includes the necessary fix. If immediate upgrading is not possible, consider implementing input validation and output encoding on the Order Status Name field to prevent malicious script injection. Web Application Firewalls (WAFs) configured to detect and block XSS payloads targeting the Commerce Orders Table can provide an additional layer of protection. Regularly review and sanitize all user-supplied input to minimize the risk of XSS vulnerabilities.
Actualice Craft Commerce a la versión 4.10.2 o superior si está utilizando la serie 4.x, o a la versión 5.5.3 o superior si está utilizando la serie 5.x. Esto corregirá la vulnerabilidad XSS almacenada al actualizar el estado del pedido desde la tabla de pedidos.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-29173 is a stored Cross-Site Scripting (XSS) vulnerability in Craft Commerce affecting versions up to 4.9.4. It allows attackers to inject malicious scripts via Order Status Names.
You are affected if you are using Craft Commerce versions 4.9.4 or earlier. Upgrade to 4.10.2 to mitigate the risk.
Upgrade Craft Commerce to version 4.10.2 or later. Implement input validation and output encoding as a temporary workaround.
There are currently no confirmed reports of active exploitation, but the vulnerability is easily exploitable and should be addressed promptly.
Refer to the official Craft CMS security advisory for details and updates: [https://craftcms.com/security/](https://craftcms.com/security/)
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.