CVE-2025-15565

MEDIUM 5.3

Nexi XPay <= 8.3.0 - Missing Authorization to Unauthenticated Order Status Modification

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

11th

The Nexi XPay plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the redirect function in all versions up to, and including, 8.3.0. This makes it possible for unauthenticated attackers to mark pending WooCommerce orders as paid/completed.

CWE	CWE-862
Vendor	cartasi
Product	nexi xpay
Published	Apr 14, 2026
Last Updated	Apr 15, 2026

Stay Ahead of the Next One

Get instant alerts for cartasi nexi xpay

Be the first to know when new medium vulnerabilities affecting cartasi nexi xpay are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

cartasi / Nexi XPay

0 ≤ 8.3.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/f420151b-c783-49b1-b0e9-e936a904278a?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/cartasi-x-pay/tags/8.2.0/src/classes/Nexi/WC_Gateway_XPay_Process_Completion.php#L268

Credits

Md. Moniruzzaman Prodhan