cleantalk
Vulnerabilities and Security Researches

Nexi XPay, CVE-2025-15565

CVE, Research URL

CVE-2025-15565

Home page URL

Security reports for Nexi XPay

Application

Nexi XPay

Published on
Apr 15, 2026
Research Description
The Nexi XPay plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the redirect function in all versions up to, and including, 8.3.0. This makes it possible for unauthenticated attackers to mark pending WooCommerce orders as paid/completed.
Affected versions
max 8.3.2.
Status
vulnerable
Previous vulnerability researches
Easy Code Snippets (CVE-2025-23780) , Jan 18, 2025
Easy Code Snippets (CVE-2022-4974) , Nov 15, 2024
Easy Code Snippets (CVE-2024-11464) , Dec 08, 2024
Easy Code Snippets (9c520bd00fffb08cd81aff79a4b766b6b389dacd) , Jun 07, 2024
New vulnerability
UpMenu – Online ordering for restaurants (CVE-2026-1910) , Apr 16, 2026
Employee Directory – Staff Directory and Listing (CVE-2026-1279) , Apr 16, 2026
Advance Block Extend (CVE-2026-1646) , Apr 16, 2026
All push notification for WP (CVE-2026-0816) , Apr 16, 2026
Slideshow Wp (CVE-2026-1885) , Apr 16, 2026