CVE-2025-65589 – nopCommerce 4.90.0 contains a cross-site script... (How to Fix)

Q: What is the severity of CVE-2025-65589?

CVE-2025-65589 has a CVSS score of 6.1 (MEDIUM). nopCommerce 4.90.0 contains a cross-site scripting vulnerability in the Attributes functionality that allows attackers to inject malicious scripts into web pages. This affects all users of nopCommerce 4.90.0 who have the Attributes feature enabled. Attackers could steal session cookies, redirect users, or perform actions on their behalf.

📋 TL;DR

nopCommerce 4.90.0 contains a cross-site scripting vulnerability in the Attributes functionality that allows attackers to inject malicious scripts into web pages. This affects all users of nopCommerce 4.90.0 who have the Attributes feature enabled. Attackers could steal session cookies, redirect users, or perform actions on their behalf.

💻 Affected Systems

Products:

nopCommerce

Versions: 4.90.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the Attributes functionality which is part of the standard nopCommerce installation.

📦 What is this software?

Nopcommerce by Nopcommerce

View all CVEs affecting Nopcommerce →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, gain administrative access to the nopCommerce instance, and potentially compromise the entire e-commerce platform including customer data and payment information.

🟠

Likely Case

Attackers inject malicious scripts that steal user session cookies, allowing them to impersonate users and perform unauthorized actions like placing orders or accessing personal information.

🟢

If Mitigated

With proper input validation and output encoding, the malicious scripts would be rendered harmless as text rather than executable code.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

The vulnerability requires user interaction (such as clicking a malicious link) and the attacker needs to have access to the Attributes functionality, which typically requires authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.90.1 or later

Vendor Advisory: https://www.nopcommerce.com/

Restart Required: Yes

Instructions:

1. Backup your nopCommerce installation and database. 2. Download the latest version from nopCommerce.com. 3. Replace the existing files with the updated version. 4. Restart the application pool or web server. 5. Test critical functionality.

🔧 Temporary Workarounds

Disable Attributes Functionality

all

Temporarily disable the Attributes functionality if not required for business operations.

Implement Input Validation

all

Add server-side input validation to sanitize all user input in the Attributes functionality.

🧯 If You Can't Patch

Implement a Web Application Firewall (WAF) with XSS protection rules
Enable Content Security Policy (CSP) headers to restrict script execution

🔍 How to Verify

Check if Vulnerable:

Check if you are running nopCommerce version 4.90.0 by examining the version in the admin panel or checking the web.config file.

Check Version:

Check Admin → Configuration → System Information in nopCommerce dashboard

Verify Fix Applied:

After updating, verify the version shows 4.90.1 or later in the admin panel. Test the Attributes functionality with sample XSS payloads to ensure they are properly sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to Attributes endpoints containing script tags or JavaScript code
Multiple failed login attempts followed by Attributes functionality access

Network Indicators:

HTTP requests containing <script> tags or JavaScript in Attributes parameters
Unusual outbound connections from the nopCommerce server after Attributes access

SIEM Query:

source="nopcommerce" AND (http_request="*Attributes*" AND (http_request="*<script>*" OR http_request="*javascript:*"))

📊 Metadata

CVE ID: CVE-2025-65589

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (9.5th percentile)

Published: December 16, 2025

Last Updated: December 19, 2025

🔗 References

https://seclists.org/fulldisclosure/2025/Dec/16 Mailing List,Third Party Advisory
https://www.nopcommerce.com/ Product
http://seclists.org/fulldisclosure/2025/Dec/16 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65589, you might also want to check these: