Craft Commerce Stored Cross-Site Scripting Vulnerability in Order Status Update

A stored cross-site scripting (XSS) vulnerability has been identified in Craft Commerce versions 4.0.0 prior to 4.10.2 and 5.0.0 prior to 5.5.3. The issue arises when users update the Order Status from the Commerce Orders Table, as the Order Status Name is rendered without proper escaping, allowing for script execution.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, log in with an admin account and navigate to 'Commerce' → 'Settings' → 'Order Statuses'. Create a new order status and enter a name that includes an image tag with an 'onerror' event. After saving, go to the 'Commerce' → 'Orders' section, select an order, and update the order status. The injected script will execute, demonstrating the XSS vulnerability.

Remediation

Users can update to Craft Commerce versions 4.10.2 or 5.5.3 to address this vulnerability.