nopCommerce 4.90.0: XSS Vulnerability Unleashes HTML Chaos!

nopCommerce 4.90.0 has been bitten by the notorious Cross Site Scripting (XSS) bug through its Attributes functionality. It’s a classic case of “JavaScript gone wild,” where attackers can sneak scripts into the Name field, waiting for a curious privileged user to trigger the mayhem.

1P
Published: December 16, 2025 6:19 amAdded: December 15, 2025 at 11:00 pmAssembled by: The Editor
Pro Dashboard

Hot Take:

Who knew that a simple name input could turn into a playground for cyber trickery? Looks like nopCommerce 4.90.0 is serving up a side of JavaScript with its attributes. Somebody call the cyber exterminators because we’ve got some XSS bugs to squash!

Key Points:

  • This vulnerability is found in the nopCommerce 4.90.0 version.
  • The issue stems from the Attributes management workflow.
  • Attackers can exploit this through the Name field in the Add Group section.
  • Privileged users are the ones who need to visit the affected pages to trigger the exploit.
  • The vulnerability has been assigned CVE-2025-65589.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?