nopCommerce Vulnerability Enables Attackers to Gain Access to the Application Using Captured Cookie

Security researchers have uncovered a serious vulnerability in nopCommerce, a popular open-source ecommerce platform used by major companies including Microsoft, Volvo, and BMW.

The flaw, tracked as CVE-2025-11699, allows attackers to hijack user accounts by exploiting captured session cookies, even after legitimate users have logged out.

Vulnerability Overview

The vulnerability stems from insufficient session cookie invalidation in nopCommerce’s authentication system.

When users log out, the platform fails to correctly invalidate their session cookies, leaving them vulnerable to abuse.

An attacker who obtains a valid session cookie can use it to access restricted areas, including administrative endpoints, long after the original user has logged out.

Technical Details:

• CVE ID: CVE-2025-11699
• Severity: High
• Affected Versions: nopCommerce 4.70 and earlier, plus 4.80.3
• Platform: ASP.NET Core (uses MS SQL Server)
• Vulnerability Type: Insufficient Session Cookie Invalidation

Session hijacking through cookie theft remains a highly effective attack vector. Attackers typically obtain cookies through cross-site scripting (XSS) attacks, network interception, or by compromising a user’s device.

Once captured, these cookies become valuable commodities sold on underground forums to cybercriminals.

The underground market for stolen session credentials remains active, with attackers regularly purchasing access to compromise accounts at scale.

The discovery of this vulnerability is particularly concerning because it mirrors CVE-2019-7215, a similar weakness exposed years earlier.

This pattern suggests insufficient security improvements have been implemented in the platform’s authentication mechanisms since the previous incident.

For organizations running nopCommerce, a single compromised administrator session could grant attackers complete control over the ecommerce platform.

This enables threat actors to steal customer data, manipulate transactions, deploy malware, or launch ransomware attacks.

Cybercriminals have exploited similar session-hijacking vulnerabilities to conduct unauthorized financial transactions and cryptocurrency theft at scale.

The platform’s integration with shipping APIs and content delivery networks amplifies the critical nature of this vulnerability.

Thousands of online stores worldwide rely on nopCommerce as the backbone of their ecommerce infrastructure, making this flaw an attractive target for attackers.

The nopCommerce development team has released patches addressing this vulnerability. Users running version 4.70 or later (excluding version 4.80.3) are protected.

However, organizations using version 4.80.3 or earlier must update immediately to version 4.90.3 or the latest available release.

System administrators should prioritize this update urgently, as the vulnerability poses direct threats to customer data and financial assets.

Following the update, organizations should conduct thorough security audits to identify any suspicious account activities that may indicate prior exploitation.

Session management and proper cookie invalidation upon logout represent fundamental security requirements that must be implemented across all authentication systems.

The recurrence of similar vulnerabilities underscores the importance of adopting security best practices in ecommerce platform development and maintenance.

Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates

The post nopCommerce Vulnerability Enables Attackers to Gain Access to the Application Using Captured Cookie appeared first on Cyber Security News.