A simple “notes” box at checkout. Harmless on the store itself. But staff see that note later in their dashboard, and there it runs as live code, not text.
Our AI placed a normal-looking order with hidden code in the note. Hours later a staff member opened it, the code ran inside their account, and the attacker took over: a new admin login, and control of pricing and payouts.
A stored XSS the scanner never caught.
Not just “you have a bug.” We showed the exact page at fault, the one-line fix, and how to block anything like it in future, with steps a developer can replay in 5 minutes.