I have found a stored XSS vulnerability in
[shop].myshopify.com/admin/orders/[id] in conversion details links, it's the same as #55842 but this one is through landing page URL not the referrer.
Steps to reproduce:
1. Navigate to
_landing_page cookie value to
3. Add a product to your cart then complete the checkout process.
4. Login with an admin account then navigate to
[shop].myshopify.com/admin/orders/[id] and click the link for The first page they visited and
alert(1) will be executed.
Impact: This is a customer-to-admin XSS, so an attacker can target admins to do malicious actions such as fetching the CSRF token and using it to submit a request to add himself as an admin to takeover the store.