CVE-2025-11699

nopCommerce v4.70 and prior, and version 4.80.3, does not invalidate session cookies after logout or session termination, allowing an attacker who has a 
a valid session cookie access to privileged endpoints (such as /admin) even after the legitimate user has logged out, enabling session hijacking. Any version above 4.70 that is not 4.80.3 fixes the vulnerability.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.1 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
certccCNA
---
---
CVEADP
---
---
CISA-ADPADP
7.1 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 8%
VendorProductVersion
nopcommercenopcommerce
𝑥
< 4.70.0
nopcommercenopcommerce
4.80.3
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/nopSolutions/nopCommerce/issues/7044
https://seclists.org/fulldisclosure/2025/Aug/14
https://www.nopcommerce.com/en/release-notes?srsltid=AfmBOoravPKjN19pm_XZbXZ7GvPhkt8cxlK6794BJRZlY5RxJU_yNoTT
https://www.kb.cert.org/vuls/id/633103