XSS Alert: Blog Posts on nopCommerce 4.90.0 Vulnerable to Exploits!

Watch out, bloggers! nopCommerce 4.90.0 has a Cross Site Scripting (XSS) vulnerability lurking in its blog posts. Add some malicious spice to the Body overview field, and voilà—instant chaos! Keep your content management area safe, or you might end up with more than just cat videos on your blog!

1P
Published: December 16, 2025 6:30 amAdded: December 15, 2025 at 11:00 pmAssembled by: The Editor
Pro Dashboard

Hot Take:

Ah, nopCommerce, always keeping us on our toes! Just when you thought it was safe to blog about your cats or your favorite lasagna recipe, along comes a sneaky XSS vulnerability to spice things up. Who knew vulnerability disclosure could be as thrilling as a soap opera?

Key Points:

  • nopCommerce version 4.90.0 is susceptible to a Stored XSS vulnerability.
  • The vulnerability is located in the “Content Management” area, specifically within the “Blog posts” functionality.
  • Malicious HTML/JavaScript can be injected into the Body overview field of a blog post.
  • Once stored, the malicious code executes when the blog page is accessed.
  • Assigned CVE code for this vulnerability is CVE-2025-65590.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?