Primary

Context

nopCommerce Stored Cross-Site Scripting Vulnerability

Vulnerability

A stored cross-site scripting vulnerability has been identified in nopCommerce version 4.40.3. The issue resides in the Product Name field within the admin product editing interface. When a product is viewed in the shop, the injected XSS payload is executed, potentially harming users.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the product.

Reproduction

To reproduce this vulnerability, log in as an admin and navigate to the product editing page. In the Product Name field, enter a payload that includes an SVG element with an onload event, such as one that uses JavaScript to access the alert function. After saving the product, visit the product page in the shop frontend to see the payload execute.

Added: Oct 3, 2025, 5:19 PM

Updated: Oct 3, 2025, 7:43 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

1.7

exploitability

7.9

remediation

0.0

relevance

0.6

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

1.7

exploitability

7.9

remediation

0.0

relevance

0.6

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

nopCommerce Stored Cross-Site Scripting Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

nopCommerce

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating