Nexi XPay

5.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Description

The Nexi XPay plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the redirect function in all versions up to, and including, 8.3.0. This makes it possible for unauthenticated attackers to mark pending WooCommerce orders as paid/completed.

Basic Information

ID CVE-2025-15565

Source Wordfence

Published Apr 14, 2026 at 21:26

Affected Product

Vendor cartasi

Product Nexi XPay

Affected Versions cartasi Nexi XPay 0

CWE Classification

CWE-862

References

{
    "lastseen": "",
    "description": "The Nexi XPay plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the redirect function in all versions up to, and including, 8.3.0. This makes it possible for unauthenticated attackers to mark pending WooCommerce orders as paid/completed.",
    "published": "2026-04-14T21:26:40.111Z",
    "modified": "2026-04-14T21:26:40.111Z",
    "type": "cve",
    "title": "Nexi XPay <= 8.3.0 - Missing Authorization to Unauthenticated Order Status Modification",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f420151b-c783-49b1-b0e9-e936a904278a?source=cve\nhttps://plugins.trac.wordpress.org/browser/cartasi-x-pay/tags/8.2.0/src/classes/Nexi/WC_Gateway_XPay_Process_Completion.php#L268",
    "id": "CVE-2025-15565",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "cartasi Nexi XPay 0",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Nexi XPay",
    "version": "0",
    "vendor": "cartasi",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Nexi XPay <= 8.3.0 - Missing Authorization to Unauthenticated Order Status Modification_CVE-2025-15565