Security researchers have uncovered a serious vulnerability in nopCommerce, a popular open-source ecommerce platform used by major companies, including Microsoft, Volvo, and BMW.
The flaw allows attackers to hijack user accounts by exploiting captured session cookies, even after legitimate users have logged out.
| Field | Details |
|---|---|
| CVE ID | CVE-2025-11699 |
| Vulnerability Title | Insufficient Session Cookie Invalidation |
| Platform | nopCommerce (ASP.NET Core) |
| Severity | High |
The Vulnerability Explained
The vulnerability, tracked as CVE-2025-11699, stems from insufficient invalidation of session cookies in nopCommerce’s login system.
When users log out, the platform fails to correctly invalidate their session cookies, leaving them vulnerable to abuse.
An attacker who obtains a valid session cookie can use it to access restricted areas, including administrative endpoints, long after the original user has logged out.
Session hijacking through cookie theft is not a new threat, but it remains highly effective. Attackers typically obtain cookies through cross-site scripting attacks (XSS), network interception, or by compromising a user’s device.
Once captured, these cookies become valuable commodities sold on underground forums to other cybercriminals.
According to Carnegie Mellon University, the vulnerability affects nopCommerce versions 4.70 and earlier, as well as 4.80.3. The platform serves as the backbone for numerous online stores worldwide and uses ASP.NET Core and MS SQL Server.
Its integration with shipping APIs and content delivery networks makes it a critical piece of infrastructure for many businesses.
The discovery of this flaw is particularly concerning because it mirrors CVE-2019-7215. This similar vulnerability exposed the same weakness years ago.
This suggests insufficient security improvements have been made in the platform’s authentication mechanisms.
Cybercriminals exploit session-hijacking vulnerabilities for various purposes. Stolen session data has been used to launch ransomware attacks, commit cryptocurrency theft, and conduct unauthorized financial transactions.
The underground market for stolen session cookies remains active, with criminals regularly purchasing access credentials to compromise accounts at scale.
For businesses running nopCommerce, a single compromised administrator session could grant attackers complete control over the ecommerce platform, enabling them to steal customer data, manipulate transactions, or deploy malware.
The nopCommerce development team has released patches addressing this vulnerability. Users running version 4.70 or later excluding version 4.80.3 are protected.
Those using version 4.80.3 or earlier must update immediately to version 4.90.3 or the latest available release.
System administrators are urged to prioritize this update, as the vulnerability poses direct threats to customer data and financial assets. The update process should be completed as soon as possible to minimize exposure.
This discovery highlights ongoing challenges in ecommerce platform security. The fact that a similar vulnerability existed in 2019 suggests that developers and businesses may not be adequately addressing session management best practices.
Proper cookie invalidation upon logout is a fundamental security requirement that should be implemented across all authentication systems.
Organizations using nopCommerce should conduct a security audit following the update to identify any suspicious account activities that may indicate prior exploitation.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.