Primary

Context

nopCommerce Stored Cross-Site Scripting Vulnerability in Blog Posts Functionality

Vulnerability

A stored cross-site scripting vulnerability has been identified in nopCommerce version 4.90.0. This issue arises within the Blog posts feature of the Content Management area. Malicious HTML or JavaScript injected into the Body overview field of a blog post is saved on the server and executed when the blog page is accessed.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the blog post.

Reproduction

To reproduce this vulnerability, log into the nopCommerce admin panel and navigate to the Content Management section. Select 'Blog posts' and create a new blog post or edit an existing one. In the Body overview field, insert malicious HTML or JavaScript. Once the post is saved, the injected script will execute when the blog page is visited.

Added: Dec 16, 2025, 7:43 PM

Updated: Dec 16, 2025, 8:19 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

1.7

exploitability

6.9

remediation

0.0

relevance

1.6

threat

1.6

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

1.7

exploitability

6.9

remediation

0.0

relevance

1.6

threat

1.6

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

nopCommerce Stored Cross-Site Scripting Vulnerability in Blog Posts Functionality

Vulnerability

Impact

Reproduction

Affected Products

nopCommerce

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating