CVE-2025-11699

Published: Dec 1, 2025

Modified: Dec 1, 2025

PUBLISHED

Description

nopCommerce v4.70 and prior, and version 4.80.3, does not invalidate session cookies after logout or session termination, allowing an attacker who has a a valid session cookie access to privileged endpoints (such as /admin) even after the legitimate user has logged out, enabling session hijacking. Any version above 4.70 that is not 4.80.3 fixes the vulnerability.

Vendor	Product	Versions
nopSolutions	nopCommerce	affected `4.80.3 - <= 4.80.4`
nopSolutions	nopCommerce	affected `4.10 - < 4.70`

References

https://seclists.org/fulldisclosure/2025/Aug/14

https://github.com/nopSolutions/nopCommerce/issues/7044

https://www.nopcommerce.com/en/release-notes?srsltid=AfmBOoravPKjN19pm_XZbXZ7GvPhkt8cxlK6794BJRZlY5RxJU_yNoTT

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-11699

Description

Affected Products

References