CVE-2025-15565
Nexi XPay <= 8.3.0 - Missing Authorization to Unauthenticated Order Status Modification
Vexday Risk Score
13Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 5.3EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —
Ciclo de vida
14 abr 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
The Nexi XPay plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the redirect function in all versions up to, and including, 8.3.0. This makes it possible for unauthenticated attackers to mark pending WooCommerce orders as paid/completed.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Productos afectados
cartasi · Nexi XPay