Impact
The Nexi XPay plugin contains a missing authorization flaw that permits unauthorized users to bypass access controls and interact with privileged functions, potentially leading to unauthorized disclosure of sensitive information, data manipulation or execution of restricted operations.
Affected Systems
Vulnerable versions of the Nexi XPay WordPress plugin are all releases up to and including version 8.3.1. The plugin is distributed by Nexi Payments. Administrators using versions 8.3.2 or later are not affected; however, any site that has not updated is exposed.
Risk and Exploitability
The CVSS score of 7.5 indicates high severity when the flaw is exploited, but the EPSS score of less than 1% suggests a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog, which implies it has not yet been observed in widespread attacks. Based on the description, it is inferred that attackers may exploit the lack of authorization checks by sending specially crafted HTTP requests to the plugin’s endpoints, potentially gaining unauthorized access without needing valid credentials.
OpenCVE Enrichment