Vulnerabilities and security researches forcartasi-x-pay cartasi-x-pay

Apr 16, 2026

CVE, Research URL: CVE-2025-15565
Home page URL: Security reports for Nexi XPay
Application: Nexi XPay
Date: Apr 15, 2026
Research Description: The Nexi XPay plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the redirect function in all versions up to, and including, 8.3.0. This makes it possible for unauthenticated attackers to mark pending WooCommerce orders as paid/completed.
Affected versions: max 8.3.2.
Status: vulnerable