### Critical Vulnerability Information #### Vulnerability Overview - **Name**: Stored XSS in Shipping Categories (Name & Description) Fields Leading to Potential Privilege Escalation - **CVE ID**: CVE-2026-25485 - **Severity**: Moderate - **CVEA Code**: GHSA-w8gw-qm8p-j9j3 #### Affected Scope - **Affected Versions**: - `craftcms/commerce`: >= 5.0.0-RC1, = 4.0.0-RC1, Store Management -> Shipping Categories`. 3. Create a new shipping category. 4. In the `Name` field, input the following payload: ```html ``` 5. Click `Save` and return to the previous page. 6. Observe the JavaScript alert being executed. #### Privilege Escalation 1. Follow the same steps above, but replace the payload with a malicious one. 2. Using the following payload, escalate the attacker’s account to administrator while having an active elevated admin session: ```html /permissions',{method:'POST',body:`CRAFT_CSRF_TOKEN=${Craft.csrfTokenName}=${Craft.csrfTokenValue}`})"> ``` 3. In another browser, log in as an administrator and navigate to the vulnerable page (Shipping Categories page). 4. Return to the attacker’s account and note that the account is now elevated to administrator. #### Patch Upgrade Recommendation - Ensure `craftcms/commerce` is updated to version 5.5.2 or 4.10.1.