CVE-2025-11699

Summary

nopCommerce v4.70 and prior, and version 4.80.3, does not invalidate session cookies after logout or session termination, allowing an attacker who has a a valid session cookie access to privileged endpoints (such as /admin) even after the legitimate user has logged out, enabling session hijacking. Any version above 4.70 that is not 4.80.3 fixes the vulnerability.

Affected Software

VendorProductVersion RangeStatus
nopSolutionsnopCommerce4.80.3 <= 4.80.4affected
nopSolutionsnopCommerce4.10 < 4.70affected

Weaknesses

  • CWE-613 Insufficient Session Expiration

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References