CVE-2025-65591 identifies a Cross Site Scripting (XSS) vulnerability in nopCommerce version 4.90.0, specifically within the Currencies functionality. XSS vulnerabilities occur when an application does not properly sanitize user-supplied input, allowing attackers to inject malicious scripts that execute in other users' browsers. In this case, the vulnerability requires an attacker to have low-level privileges (PR:L) and user interaction (UI:R), meaning the attacker must be authenticated and trick a user into triggering the malicious payload. The CVSS vector indicates network attack vector (AV:N), low attack complexity (AC:L), and a scope change (S:C), meaning the vulnerability can affect resources beyond the initially vulnerable component. The impact affects confidentiality and integrity to a limited extent (C:L/I:L), but does not affect availability (A:N). While no known exploits are currently in the wild, the vulnerability poses a risk to e-commerce platforms using nopCommerce 4.90.0, as attackers could steal session tokens, manipulate user data, or perform actions on behalf of other users. The absence of a patch link suggests that a fix may not yet be publicly available, emphasizing the need for immediate mitigation strategies. The CWE-79 classification confirms this is a classic reflected or stored XSS issue. Organizations should review their input validation and output encoding practices in the Currencies module and consider deploying web application firewalls (WAFs) to detect and block malicious payloads.

For European organizations, especially those operating e-commerce websites using nopCommerce 4.90.0, this vulnerability can lead to unauthorized access to user sessions, theft of sensitive information such as payment details, and potential manipulation of currency settings that could affect transaction integrity. The confidentiality and integrity of customer data are at risk, which could result in reputational damage, regulatory penalties under GDPR, and financial losses. Since the vulnerability requires authentication and user interaction, insider threats or social engineering attacks could be leveraged to exploit it. The lack of availability impact means service disruption is unlikely, but the compromise of user trust and data security remains significant. Given the widespread use of nopCommerce in European SMEs and online retailers, the threat could affect a broad range of sectors including retail, finance, and hospitality.

1. Monitor official nopCommerce channels for patches addressing CVE-2025-65591 and apply them promptly once released. 2. Implement strict input validation and output encoding in the Currencies functionality to sanitize user inputs and prevent script injection. 3. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 4. Use Web Application Firewalls (WAFs) configured to detect and block common XSS attack patterns targeting the affected module. 5. Conduct security awareness training to reduce the risk of social engineering attacks that could facilitate exploitation. 6. Review user privilege assignments to minimize the number of users with access to currency management features. 7. Perform regular security testing, including automated scanning and manual code reviews, focusing on input handling in the affected components.