CVE-2020-29475

MEDIUM

nopCommerce Store 4.30 - Stored Cross-Site Scripting in Schedule Tasks Name Field

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-29475. PoCs published by Hemant Patidar.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in nopCommerce Store 4.30 via the 'name' parameter in Schedule tasks. The payload is injected into the task name and triggers when a user accesses the page.

Description

nopCommerce Store 4.30 is affected by cross-site scripting (XSS) in the Schedule tasks name field. This vulnerability can allow an attacker to inject the XSS payload in Schedule tasks and each time any user will go to that page of the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload.

Exploits (1)

exploitdb WORKING POC

by Hemant Patidar · textwebappsmultiple

https://www.exploit-db.com/exploits/49093

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in nopCommerce Store 4.30 via the 'name' parameter in Schedule tasks. The payload is injected into the task name and triggers when a user accesses the page.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: nopCommerce Store 4.30

Auth required

Prerequisites: Admin access to nopCommerce Store · Valid session cookie

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/49093

Scores

CVSS v3 4.8

EPSS 0.0108

EPSS Percentile 60.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

nopcommerce/store 4.30

Published Dec 29, 2020

Tracked Since Feb 18, 2026