CVE-2025-11699

Name of the Vulnerable Software and Affected Versions nopCommerce versions prior to 4.80.3

Description The software does not invalidate session cookies after logout or session termination. This allows an attacker with a valid session cookie to access privileged endpoints, such as '/admin', even after the legitimate user has logged out, potentially enabling session hijacking. Approximately 40.8k instances are exposed. The issue allows attackers to reuse expired session cookies due to a logout flaw, potentially leading to account hijacking, including administrative access.

Recommendations Versions prior to 4.80.3 should be updated to version 4.80.3 or later.