# Exploit Title: nopCommerce 4.40.3 - Stored Cross-Site Scripting (XSS) # Exploit Author: Scott Sturrock 'ssturrock -at- protonmail -dot- com' # Vendor Homepage: https://www.nopcommerce.com/ # Software Link: https://github.com/nopSolutions/nopCommerce/releases/tag/release-4.40.3 # Version: 4.40.3 (latest tested) # CVE-2021-42193 # https://www.cve.org/CVERecord?id=CVE-2021-42193 nopCommerce 4.40.3 is vulnerable to stored cross-site scripting (XSS) in the Product Name field at /Admin/Product/Edit/[id]. Each time the product is viewed on the public-facing shop, the payload executes in the context of the victim’s browser. Payload evasion and detection bypass techniques: The payload uses an SVG element with an onload handler instead of a script tag. SVG tags are often overlooked by simple sanitisation routines but still execute JavaScript when their onload event fires.Rather than writing “Function” or “alert” directly, the payload accesses the Function constructor indirectly via [].filter.constructor and splits the property names as "fi"+"lter" and "constr"+"uctor" to break up the keywords. This prevents simple pattern matching or blacklisting of those strings. The string for alert("XSS") is assembled using Unicode escapes: al\u0065rt for alert, \u0028 for “(” and \u0029 for “)”. This hides the actual call from naive regex filters.The payload wraps the code in template literals (`…`) rather than quotes. This bypasses filters that assume quotes are required around JavaScript strings.These combined techniques produce valid JavaScript at runtime but appear heavily obfuscated to static analysis. Steps to reproduce: 1. Login as admin and navigate to: /Admin/Product/Edit/[id] 2. In the “Product Name” field, enter the following payload: <svg/onload='[]["fi"+"lter"]["constr"+"uctor"](`al\u0065rt\u0028"XSS"\u0029`)()'> 3. Save the product. 4. Visit the product page in the shop frontend. The payload will trigger on page load, executing arbitrary JavaScript in the browser. This issue allows unauthenticated users to be affected depending on how the product is viewed. Only tested on version 4.40.3. Earlier or later versions may also be vulnerable.