CVE-2025-11699
HIGHnopCommerce < 4.70.0 and 4.80.3 - Insufficient Session Expiration
Title source: llmDescription
nopCommerce v4.70 and prior, and version 4.80.3, does not invalidate session cookies after logout or session termination, allowing an attacker who has a a valid session cookie access to privileged endpoints (such as /admin) even after the legitimate user has logged out, enabling session hijacking. Any version above 4.70 that is not 4.80.3 fixes the vulnerability.
References (4)
Core 4
Core References
Issue Tracking
https://github.com/nopSolutions/nopCommerce/issues/7044
Mailing List, Third Party Advisory
https://seclists.org/fulldisclosure/2025/Aug/14
Release Notes
https://www.nopcommerce.com/en/release-notes?srsltid=AfmBOoravPKjN19pm_XZbXZ7GvPhkt8cxlK6794BJRZlY5RxJU_yNoTT
Third Party Advisory, Patch
https://www.kb.cert.org/vuls/id/633103
Scores
CVSS v3
7.1
EPSS
0.0040
EPSS Percentile
32.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-613
Status
published
Products (2)
nopcommerce/nopcommerce
4.80.3
nopcommerce/nopcommerce
< 4.70.0
Published
Dec 01, 2025
Tracked Since
Feb 18, 2026