Vulnerabilities and security researches forcartasi-x-pay cartasi-x-pay

Jun 19, 2026

CVE, Research URL: CVE-2026-54810
Home page URL: Security reports for Nexi XPay
Application: Nexi XPay
Date: Jun 17, 2026
Research Description: Missing Authorization vulnerability in Nexi Payments Nexi XPay allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Nexi XPay: from n/a through 8.3.1.
Affected versions: max 8.3.2.
Status: vulnerable

Apr 16, 2026

CVE, Research URL: CVE-2025-15565
Home page URL: Security reports for Nexi XPay
Application: Nexi XPay
Date: Apr 15, 2026
Research Description: The Nexi XPay plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the redirect function in all versions up to, and including, 8.3.0. This makes it possible for unauthenticated attackers to mark pending WooCommerce orders as paid/completed.
Affected versions: max 8.3.2.
Status: vulnerable