CVE-2026-21451
5.2
Bagisto Stored XSS: When the CMS Becomes a Skimmer's Paradise
Amit Schendel
Senior Security ResearcherJan 2, 2026·6 min read·4 visits
PoC Available
Executive Summary (TL;DR)
Bagisto versions prior to 2.3.10 fail to sanitize HTML input on the server side within the CMS page editor. Developers relied on the WYSIWYG editor's client-side filtering, which can be trivially bypassed using a proxy. An attacker with CMS permissions can inject persistent JavaScript that executes for all visitors, leading to potential credit card skimming or session hijacking.
A classic 'client-side trust' failure in the Bagisto e-commerce platform allows privileged attackers to bypass HTML filters and inject malicious JavaScript. While requiring administrative access, this Stored XSS vulnerability poses a severe threat to storefront customers, enabling Magecart-style skimming attacks via the CMS page editor.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS Score
5.2/ 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:PAffected Systems
Bagisto eCommerce PlatformLaravel Applications using vulnerable Bagisto packages
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Bagisto Webkul | < 2.3.10 | 2.3.10 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-79 |
| CVSS v4.0 | 5.2 (Medium) |
| Attack Vector | Network (Authenticated) |
| Privileges Required | High (Admin) |
| Impact | Stored XSS / Data Exfiltration |
| Fix Version | 2.3.10 |
MITRE ATT&CK Mapping
CWE-79
Cross-site Scripting
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Known Exploits & Detection
Vulnerability Timeline
Fix committed to repository
2025-12-24
CVE-2026-21451 Published
2026-01-02
Bagisto v2.3.10 Released
2026-01-02