CVE-2025-65593 – nopCommerce 4.90.0 contains a Cross-Site Reques... (How to Fix)

Q: What is the severity of CVE-2025-65593?

CVE-2025-65593 has a CVSS score of 8.8 (HIGH). nopCommerce 4.90.0 contains a Cross-Site Request Forgery (CSRF) vulnerability in its Schedule Tasks functionality. This allows attackers to trick authenticated administrators into performing unauthorized actions by visiting malicious web pages. All nopCommerce 4.90.0 installations with administrator access are affected.

📋 TL;DR

nopCommerce 4.90.0 contains a Cross-Site Request Forgery (CSRF) vulnerability in its Schedule Tasks functionality. This allows attackers to trick authenticated administrators into performing unauthorized actions by visiting malicious web pages. All nopCommerce 4.90.0 installations with administrator access are affected.

💻 Affected Systems

Products:

nopCommerce

Versions: 4.90.0

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrator access to exploit. All nopCommerce 4.90.0 installations are vulnerable by default.

📦 What is this software?

Nopcommerce by Nopcommerce

View all CVEs affecting Nopcommerce →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could create, modify, or delete scheduled tasks, potentially disrupting business operations, stealing data, or establishing persistence through malicious task execution.

🟠

Likely Case

Attackers could modify existing scheduled tasks to run malicious code, disrupt automated processes, or cause service degradation.

🟢

If Mitigated

With proper CSRF protections and administrator awareness, exploitation risk is significantly reduced, though the vulnerability remains present.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires tricking an authenticated administrator into visiting a malicious page. CSRF attacks are well-understood and easy to weaponize.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.90.1 or later

Vendor Advisory: https://www.nopcommerce.com/

Restart Required: Yes

Instructions:

1. Backup your nopCommerce installation and database. 2. Download the latest version from nopCommerce.com. 3. Replace the existing files with the patched version. 4. Restart the application/web server.

🔧 Temporary Workarounds

Implement CSRF Tokens

all

Manually add anti-CSRF tokens to Schedule Tasks endpoints

Restrict Administrator Access

all

Limit administrator access to trusted networks and implement strict browser security policies

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to detect and block CSRF attempts
Require re-authentication for sensitive actions like schedule task modifications

🔍 How to Verify

Check if Vulnerable:

Check if running nopCommerce version 4.90.0 by examining the Admin area → System → System Information

Check Version:

Check Admin → System → System Information in nopCommerce interface

Verify Fix Applied:

Verify version is 4.90.1 or later in System Information and test CSRF protection on Schedule Tasks endpoints

📡 Detection & Monitoring

Log Indicators:

Unauthorized schedule task modifications
Multiple failed CSRF token validations
Unusual administrator activity patterns

Network Indicators:

POST requests to schedule task endpoints without proper referrer headers
Requests from unexpected sources to administrative endpoints

SIEM Query:

source="nopcommerce" AND (event="ScheduleTask" OR endpoint="/Admin/ScheduleTask/") AND status="200" AND referrer NOT CONTAINS "expected-domain"

📊 Metadata

CVE ID: CVE-2025-65593

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

EPSS Score: 0.02% exploit probability (5.2th percentile)

Published: December 16, 2025

Last Updated: December 19, 2025

🔗 References

https://seclists.org/fulldisclosure/2025/Dec/20 Mailing List,Third Party Advisory
https://www.nopcommerce.com/ Product
http://seclists.org/fulldisclosure/2025/Dec/20 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65593, you might also want to check these: