WordPress Plugin Vulnerabilities

Nexi XPay < 8.3.2 - Missing Authorization to Unauthenticated Order Status Modification

Description

The Nexi XPay plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the redirect function in all versions up to, and including, 8.3.0. This makes it possible for unauthenticated attackers to mark pending WooCommerce orders as paid/completed.

Affects Plugins

Plugin icon
cartasi-x-pay
Fixed in 8.3.2

References

CVE
CVE-2025-15565
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f420151b-c783-49b1-b0e9-e936a904278a

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Md. Moniruzzaman Prodhan (NomanProdhan)
Verified
No
WPVDB ID
560fd36c-d495-437a-b057-cca857841437

Timeline

Publicly Published
2026-04-14 (about 2 months ago)
Added
2026-04-14 (about 2 months ago)
Last Updated
2026-04-14 (about 2 months ago)

Other

Published
Title
Published
2025-05-22
Title
CryptoCloud - Crypto Payment Gateway < 2.3.2 - Missing Authorization
Published
2025-02-28
Title
BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages < 3.4.25 - Missing Authorization to Authenticated (Subscriber+) Limited Settings Update
Published
2025-12-05
Title
SMS Alert Order Notifications < 3.8.9 - Missing Authorization
Published
2025-06-05
Title
BM Content Builder < 3.16.3 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via ux_cb_page_options_save
Published
2024-07-04
Title
The Post Grid < 7.7.5 - Missing Authorization via AJAX