Libraries/Nop.Services/Localization/LocalizationService.cs in nopCommerce through 4.10 allows XXE via the "Configurations -> Languages -> Edit Language -> Import Resources -> Upload XML file" screen.
Add your gear to cvedb and we'll alert you only when nopcommerce ships something exploited.
Check my exposure →This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.