CVE-2025-65592 is a stored Cross Site Scripting (XSS) vulnerability identified in nopCommerce version 4.90.0, a popular open-source e-commerce platform. The vulnerability arises from insufficient sanitization of user-supplied input in the product management module, specifically within the "Product Name" and "Short Description" fields. Attackers can inject malicious JavaScript payloads into these fields, which are then stored persistently in the backend database. When any user, including administrators or customers, views the affected product pages, the malicious scripts execute automatically in their browsers. This can lead to session hijacking, credential theft, or unauthorized actions performed with the victim’s privileges. The vulnerability is exploitable remotely over the network without requiring authentication, but it does require the victim to view the compromised page (user interaction). The CVSS 3.1 base score is 6.1, reflecting a medium severity with low attack complexity and no privileges required, but user interaction needed. The scope is changed (S:C) because the vulnerability affects resources beyond the initially vulnerable component, potentially impacting the confidentiality and integrity of user data. No patches or official fixes have been released yet, and no known exploits have been observed in the wild. The CWE classification is CWE-79, which corresponds to Cross Site Scripting. This vulnerability poses a significant risk to e-commerce operations relying on nopCommerce 4.90.0, as attackers could leverage it to compromise user sessions or inject fraudulent content.

For European organizations, especially those operating e-commerce websites using nopCommerce 4.90.0, this vulnerability can lead to the compromise of customer accounts, theft of sensitive information such as session cookies or personal data, and potential defacement or manipulation of product information. This undermines customer trust and can result in financial losses and reputational damage. Since the vulnerability allows execution of arbitrary scripts in users’ browsers, it could also facilitate phishing attacks or the spread of malware. The medium severity rating indicates a moderate risk, but the widespread use of nopCommerce in Europe’s online retail sector amplifies the potential impact. Additionally, regulatory frameworks like GDPR impose strict requirements on data protection; exploitation of this vulnerability could lead to compliance violations and associated penalties. The lack of available patches increases the urgency for organizations to implement compensating controls.

1. Implement strict input validation and sanitization on the "Product Name" and "Short Description" fields to prevent injection of malicious scripts. 2. Apply proper output encoding/escaping on all user-generated content before rendering it in the browser to neutralize any embedded scripts. 3. Restrict access to product management interfaces to trusted administrators only, and monitor for unusual input patterns or changes. 4. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 5. Regularly audit and review stored product data for suspicious or unexpected content. 6. Educate staff about the risks of XSS and the importance of secure data entry practices. 7. Monitor web application logs and user activity for signs of exploitation attempts. 8. Stay alert for official patches or updates from nopCommerce and apply them promptly once available. 9. Consider deploying Web Application Firewalls (WAFs) with rules targeting XSS payloads as an interim protective measure.