nopCommerce Flaw (CVE-2025-11699) Allows Admin Takeover by Reusing Session Cookies After Logout

A significant security vulnerability has been identified in nopCommerce, a popular open-source ecommerce platform that serves as the backbone for online stores operated by major global brands, including Microsoft, Volvo, and BMW. The flaw, identified as CVE-2025-11699, allows attackers to hijack user accounts—including administrator profiles—by reusing session cookies that should have been destroyed upon logout.

The core of the issue lies in how the platform handles session termination. In a secure environment, clicking “Log Out” should invalidate the session cookie, rendering it useless. However, the CERT/CC vulnerability note reveals that nopCommerce “fails to invalidate session cookies upon user logout or session termination, enabling attackers to use the captured cookie to gain access to the application.”

This creates a scenario where a session cookie becomes a permanent key. Even after a legitimate user believes they have closed their session, the door remains unlocked.

The advisory warns that “the session cookie can be obtained through XSS, network interception, or a local compromise, and can then be re-used even after the user has logged out.”

The implications of this vulnerability are severe, particularly because nopCommerce powers full retail ecosystems. If an attacker intercepts an administrator’s cookie, they could bypass authentication entirely.

The report notes that this flaw allows “an attacker who has a valid session cookie access to privileged endpoints (such as /admin) even after the legitimate user has logged out, enabling session hijacking.”

Once inside, the potential for damage is extensive. The theft and reuse of these cookies could result in “financial or ransomware attacks.” Furthermore, CERT/CC highlights that this specific type of data is a commodity in the cybercriminal underworld: “Session cookies and session ID information has been sold on underground forums post device compromise for other attackers to leverage in attacks.”

Interestingly, this is not the first time nopCommerce has faced this specific type of architectural flaw. The vulnerability note points out that “this vulnerability is extremely similar to CVE-2019-7215.”

Administrators running online stores on nopCommerce are urged to audit their version numbers immediately. The vulnerability affects Version 4.70 and prior, as well as the specific Version 4.80.3.

To mitigate the risk of session hijacking, the following actions are recommended:

• Immediate Update: Users on version 4.80.3, or any version of nopCommerce prior to version 4.70, should update to the latest version, 4.90.3, as soon as possible.
• Safe Versions: Any version above 4.70 (with the explicit exception of 4.80.3) contains the fix.

Related Posts:

• CVE-2023-20862: High-severity security vulnerability affecting Spring Framework
• A Dangerous Loophole in the VS Code Marketplace Is Allowing Malicious Extensions
• High-Severity Memos Flaw (CVE-2024-21635) Allows Hackers to Stay Logged In After Password Change
• CVE-2025-24859 (CVSSv4 10): Apache Roller Flaw Exposes Blogs to Unauthorized Access