CVE-2025-15565 - Vulnerability Details

- Nexi XPay <= 8.3.0 - Missing Authorization to Unauthenticated Order Status Modification

Description

The Nexi XPay plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the redirect function in all versions up to, and including, 8.3.0. This makes it possible for unauthenticated attackers to mark pending WooCommerce orders as paid/completed.

Published: 2026-04-14

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Nexi XPay plugin for WordPress contains a missing authorization check on the redirect function in all releases up to 8.3.0. This flaw allows an unauthenticated user to manipulate the order status, turning unapproved or pending orders into paid or completed ones. The impact is that attackers could trigger transactions or claims of receipt for orders they never authorized, possibly resulting in financial loss or refund disputes.

Affected Systems

The vulnerable component is the Nexi XPay WordPress plugin distributed by Cartasi. All versions 8.3.0 and earlier are affected. Users deploying the plugin on any WordPress site that processes WooCommerce orders should verify and update their installation.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity and highlights an authentication bypass within the application. No EPSS value is provided, suggesting limited data on current exploitation prevalence, and the issue is not in the CISA KEV list. Because no authentication is required, the vulnerability can be exploited over the public web by crafting a request to the redirect endpoint. While no public exploit has been documented, the risk is significant for sites handling sensitive payment data. The absence of a mitigation in the public feed means the exploitation vector remains plausible until a patch is applied.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

cartasi

Nexi XPay

unaffected

Version	Status	Constraints
`0`	affected	≤ 8.3.0

No data.

Vendor Product Confidence Versions

Cartasi

Nexi Xpay

100%

Version	Status	Scheme	Platform
`[0,8.3.0]`	affected	generic	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Nexi XPay WordPress plugin to the latest version that includes the missing authorization check (version > 8.3.0).
If an immediate upgrade is not possible, temporarily disable the redirect endpoint or restrict access to that handler via server configuration or plugin settings to prevent unauthenticated requests.
After remediation, audit order status logs and transaction records for any unauthorized changes, and implement monitoring to detect future anomalies in order state transitions.

Generated by OpenCVE AI on April 14, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00038.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/cartasi-x-pay/tags/8.2.0/src/classes/Nexi/WC_Gateway_XPay_Process_Completion.php#L268
https://www.wordfence.com/threat-intel/vulnerabilities/id/f420151b-c783-49b1-b0e9-e936a904278a?source=cve

History

Wed, 15 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Cartasi Cartasi nexi Xpay Wordpress Wordpress wordpress
Vendors & Products		Cartasi Cartasi nexi Xpay Wordpress Wordpress wordpress

Wed, 15 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 14 Apr 2026 21:45:00 +0000

Type	Values Removed	Values Added
Description		The Nexi XPay plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the redirect function in all versions up to, and including, 8.3.0. This makes it possible for unauthenticated attackers to mark pending WooCommerce orders as paid/completed.
Title		Nexi XPay <= 8.3.0 - Missing Authorization to Unauthenticated Order Status Modification
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/browser/cartasi-x-pay/tags/8.2.0/src/classes/Nexi/WC_Gateway_XPay_Process_Completion.php#L268 https://www.wordfence.com/threat-intel/vulnerabilities/id/f420151b-c783-49b1-b0e9-e936a904278a?source=cve
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Cartasi Nexi Xpay

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-04-14T21:26:40.111Z

Updated: 2026-04-15T13:33:09.315Z

Reserved: 2026-02-05T21:54:02.953Z

Link: CVE-2025-15565

Vulnrichment

Updated: 2026-04-15T13:33:06.138Z

NVD

Status : Received

Published: 2026-04-14T22:16:27.727

Modified: 2026-04-14T22:16:27.727

Link: CVE-2025-15565

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T14:53:53Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object