CVE-2025-65591 – nopCommerce 4.90.0 contains a cross-site script... (How to Fix)

Q: What is the severity of CVE-2025-65591?

CVE-2025-65591 has a CVSS score of 5.4 (MEDIUM). nopCommerce 4.90.0 contains a cross-site scripting vulnerability in its Currencies functionality that allows attackers to inject malicious scripts into web pages. This affects administrators and users who view currency-related pages. Attackers could steal session cookies, redirect users, or perform actions on their behalf.

📋 TL;DR

nopCommerce 4.90.0 contains a cross-site scripting vulnerability in its Currencies functionality that allows attackers to inject malicious scripts into web pages. This affects administrators and users who view currency-related pages. Attackers could steal session cookies, redirect users, or perform actions on their behalf.

💻 Affected Systems

Products:

nopCommerce

Versions: 4.90.0

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations of nopCommerce 4.90.0 regardless of configuration. The vulnerability is in the core Currencies functionality.

📦 What is this software?

Nopcommerce by Nopcommerce

View all CVEs affecting Nopcommerce →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator account compromise leading to full e-commerce platform takeover, data theft, and malicious code injection affecting all customers.

🟠

Likely Case

Session hijacking of administrators or users, credential theft, and defacement of currency-related pages.

🟢

If Mitigated

Limited impact with proper input validation and output encoding in place, potentially only affecting specific administrative functions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction (viewing malicious content) but XSS payloads are simple to craft. The vulnerability is in the admin interface's Currencies section.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.90.1 or later

Vendor Advisory: https://www.nopcommerce.com/

Restart Required: Yes

Instructions:

1. Backup your nopCommerce database and files. 2. Download nopCommerce 4.90.1 or later from the official website. 3. Replace the existing installation files with the patched version. 4. Restart the web application. 5. Verify the patch by testing currency functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation for all currency-related fields to reject malicious scripts.

Modify CurrenciesController.cs to add input validation using ASP.NET Core's built-in validation attributes

Output Encoding

all

Apply proper HTML encoding to all currency data displayed in views.

Update Razor views to use @Html.Raw() only for trusted content and @Html.Encode() for user-controlled data

🧯 If You Can't Patch

Implement a Web Application Firewall (WAF) with XSS protection rules to block malicious payloads.
Restrict access to the Currencies functionality to trusted administrators only and monitor for suspicious activity.

🔍 How to Verify

Check if Vulnerable:

Check if your nopCommerce version is 4.90.0 by viewing the admin dashboard or checking the web.config file version.

Check Version:

Check the version in Admin → System → System Information or examine the web.config file for version metadata.

Verify Fix Applied:

After patching, test the Currencies functionality by attempting to inject basic XSS payloads (e.g., <script>alert('test')</script>) and verify they are properly sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /Admin/Currency/Edit or /Admin/Currency/Create with script tags
Multiple failed login attempts following currency page views

Network Indicators:

HTTP requests containing script tags in currency-related parameters
Unexpected redirects from currency pages

SIEM Query:

source="web_server" AND (uri_path="/Admin/Currency/*" AND (request_body CONTAINS "<script>" OR request_body CONTAINS "javascript:"))

📊 Metadata

CVE ID: CVE-2025-65591

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (9.3th percentile)

Published: December 16, 2025

Last Updated: December 19, 2025

🔗 References

https://seclists.org/fulldisclosure/2025/Dec/18 Mailing List,Third Party Advisory
https://www.nopcommerce.com/ Product
http://seclists.org/fulldisclosure/2025/Dec/18 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65591, you might also want to check these: