WP-Safety

Nexi XPay Security & Risk Analysis

wordpress.org/plugins/cartasi-x-pay

XPay is the payment gateway provided by Nexi, a leading group in Italy with the goal of shaping the future of digital payments.

6K active installs v8.3.1 PHP + WP 4.6+ Updated Mar 5, 2026
e-commercenexinexi-paymentspayment-gatewayxpay
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Download
Safety Verdict

Is Nexi XPay Safe to Use in 2026?

Generally Safe

Score 100/100

Nexi XPay has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 29d ago
Risk Assessment

The "cartasi-x-pay" v8.3.1 plugin exhibits significant security concerns due to a large attack surface with a high proportion of unprotected entry points. Specifically, 14 AJAX handlers and 5 REST API routes lack proper authentication or permission checks. While the plugin demonstrates good practices with SQL queries all using prepared statements and no dangerous functions are identified, the lack of output escaping on a substantial portion (66%) of outputs poses a risk of Cross-Site Scripting (XSS) vulnerabilities.

The absence of nonce checks on AJAX handlers, coupled with the unescaped outputs, creates a direct pathway for potential XSS attacks. The taint analysis, although limited, did not reveal critical or high-severity unsanitized flows, but this could be due to the limited scope of analysis or the lack of direct input to those flows. The plugin's history of zero known CVEs is a positive indicator, but it does not mitigate the immediate risks identified in the static analysis. The plugin's strengths lie in its SQL handling and lack of bundled libraries, but these are overshadowed by the critical exposure of its entry points and output handling deficiencies.

Key Concerns

  • Unprotected AJAX handlers
  • Unprotected REST API routes
  • Low output escaping percentage
  • Missing nonce checks on AJAX
  • Unsanitized flows (though limited)
Vulnerabilities
None known

Nexi XPay Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Nexi XPay Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
148
75 escaped
Nonce Checks
0
Capability Checks
3
File Operations
0
External Requests
3
Bundled Libraries
0

Output Escaping

34% escaped223 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

3 flows3 with unsanitized paths
save_apple_files (src\classes\Nexi\WC_Gateway_Admin.php:78)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
19 unprotected

Nexi XPay Attack Surface

Entry Points21
Unprotected19

AJAX Handlers 14

authwp_ajax_calc_installmentssrc\classes\Nexi\WC_Pagodil_Widget.php:21
noprivwp_ajax_calc_installmentssrc\classes\Nexi\WC_Pagodil_Widget.php:22
authwp_ajax_validate_checkout_formwoocommerce-gateway-nexi-xpay.php:96
noprivwp_ajax_validate_checkout_formwoocommerce-gateway-nexi-xpay.php:97
authwp_ajax_get_build_fieldswoocommerce-gateway-nexi-xpay.php:99
noprivwp_ajax_get_build_fieldswoocommerce-gateway-nexi-xpay.php:100
authwp_ajax_build_payment_payloadwoocommerce-gateway-nexi-xpay.php:102
noprivwp_ajax_build_payment_payloadwoocommerce-gateway-nexi-xpay.php:103
authwp_ajax_google_pay_configurationwoocommerce-gateway-nexi-xpay.php:105
noprivwp_ajax_google_pay_configurationwoocommerce-gateway-nexi-xpay.php:106
authwp_ajax_apple_pay_configurationwoocommerce-gateway-nexi-xpay.php:108
noprivwp_ajax_apple_pay_configurationwoocommerce-gateway-nexi-xpay.php:109
authwp_ajax_apple_pay_validate_merchantwoocommerce-gateway-nexi-xpay.php:111
noprivwp_ajax_apple_pay_validate_merchantwoocommerce-gateway-nexi-xpay.php:112

REST API Routes 7

POST/wp-json/woocommerce-gateway-nexi-xpay/s2s/npg/(?P<id>\d+)src\classes\Nexi\WC_Gateway_NPG_Process_Completion.php:46
GET/wp-json/woocommerce-gateway-nexi-xpay/googlepay/panonly/(?P<id>\d+)src\classes\Nexi\WC_Gateway_NPG_Process_Completion.php:59
GET/wp-json/woocommerce-gateway-nexi-xpay/process_account/npg/(?P<id>\d+)src\classes\Nexi\WC_Gateway_NPG_Process_Completion.php:72
POST/wp-json/woocommerce-gateway-nexi-xpay/s2s/xpay/(?P<id>\d+)src\classes\Nexi\WC_Gateway_XPay_Process_Completion.php:40
GET/wp-json/woocommerce-gateway-nexi-xpay/process_account/xpay/(?P<id>\d+)src\classes\Nexi\WC_Gateway_XPay_Process_Completion.php:53
GET/wp-json/woocommerce-gateway-nexi-xpay/gpay/redirect/(?P<id>\d+)src\classes\Nexi\WC_Gateway_XPay_Process_Completion.php:68
GET/wp-json/woocommerce-gateway-nexi-xpay/xpay/gpay/result/(?P<id>\d+)src\classes\Nexi\WC_Gateway_XPay_Process_Completion.php:81
WordPress Hooks 32
actionadd_meta_boxessrc\classes\Nexi\WC_Admin_Page.php:23
actionadmin_noticessrc\classes\Nexi\WC_Gateway_Admin.php:126
actionadmin_noticessrc\classes\Nexi\WC_Gateway_Admin.php:142
filterwoocommerce_saved_payment_methods_listsrc\classes\Nexi\WC_Gateway_NPG_Cards.php:30
filterwoocommerce_saved_payment_methods_listsrc\classes\Nexi\WC_Gateway_XPay_Cards.php:45
actionwp_headsrc\classes\Nexi\WC_Pagodil_Widget.php:25
actionwoocommerce_before_add_to_cart_buttonsrc\classes\Nexi\WC_Pagodil_Widget.php:28
actionwoocommerce_after_shop_loop_item_titlesrc\classes\Nexi\WC_Pagodil_Widget.php:31
actionwoocommerce_proceed_to_checkoutsrc\classes\Nexi\WC_Pagodil_Widget.php:34
actionwoocommerce_review_order_before_paymentsrc\classes\Nexi\WC_Pagodil_Widget.php:37
actionwoocommerce_checkout_update_order_metasrc\classes\Nexi\WC_Pagodil_Widget.php:40
actionplugins_loadedwoocommerce-gateway-nexi-xpay.php:24
filterwoocommerce_payment_gatewayswoocommerce-gateway-nexi-xpay.php:86
filterwoocommerce_available_payment_gatewayswoocommerce-gateway-nexi-xpay.php:88
actionrest_api_initwoocommerce-gateway-nexi-xpay.php:91
actionrest_api_initwoocommerce-gateway-nexi-xpay.php:92
actionadmin_initwoocommerce-gateway-nexi-xpay.php:162
actionadmin_initwoocommerce-gateway-nexi-xpay.php:164
actionwp_enqueue_scriptswoocommerce-gateway-nexi-xpay.php:166
actionwp_nexi_pollingwoocommerce-gateway-nexi-xpay.php:185
actionwp_nexi_update_npg_payment_methodswoocommerce-gateway-nexi-xpay.php:257
filtercron_scheduleswoocommerce-gateway-nexi-xpay.php:285
actioninitwoocommerce-gateway-nexi-xpay.php:337
filterquery_varswoocommerce-gateway-nexi-xpay.php:357
actiontemplate_redirectwoocommerce-gateway-nexi-xpay.php:368
filterwc_order_statuseswoocommerce-gateway-nexi-xpay.php:374
filterwoocommerce_valid_order_statuses_for_payment_completewoocommerce-gateway-nexi-xpay.php:376
actionwoocommerce_payment_token_deletedwoocommerce-gateway-nexi-xpay.php:378
actionadmin_noticeswoocommerce-gateway-nexi-xpay.php:393
actionbefore_woocommerce_initwoocommerce-gateway-nexi-xpay.php:397
actionwoocommerce_blocks_loadedwoocommerce-gateway-nexi-xpay.php:407
actionwoocommerce_blocks_payment_method_type_registrationwoocommerce-gateway-nexi-xpay.php:412

Scheduled Events 2

wp_nexi_polling
wp_nexi_update_npg_payment_methods
Maintenance & Trust

Nexi XPay Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 5, 2026
PHP min version
Downloads111K

Community Trust

Rating60/100
Number of ratings7
Active installs6K
Alternatives

Nexi XPay Alternatives

Nexi XPay Build

Nexi XPay Build

nexi-xpay-build

A
100

XPay is the payment gateway provided by Nexi, a leading group in Italy with the goal of shaping the future of digital payments.

100 No CVEs
Instamojo for WooCommerce

Instamojo for WooCommerce

woo-instamojo

A
92

Sell & collect payments instantly for almost anything -- directly from your WordPress website.

5K No CVEs
Up2pay e-Transactions WooCommerce Payment Gateway

Up2pay e-Transactions WooCommerce Payment Gateway

e-transactions-wc

A
100

This plugin is a Up2pay e-Transactions payment gateway for WooCommerce 4.x

4K No CVEs
HyperPay Payments

HyperPay Payments

hyperpay-gateways

A
100

Payments Gateways provided by Gate2Play, to make you able to add Credit Card, Mada, STCpay and more payments method.

600 No CVEs
Paybox WooCommerce Payment Gateway

Paybox WooCommerce Payment Gateway

paybox-woocommerce-gateway

A
100

This plugin is a Paybox payment gateway for WooCommerce 4.x

500 No CVEs
Developer Profile

Nexi XPay Developer Profile

Nexi Payments

2 plugins · 6K total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Nexi XPay

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/cartasi-x-pay/assets/js/xpay.js/wp-content/plugins/cartasi-x-pay/assets/css/xpay.css/wp-content/plugins/cartasi-x-pay/assets/js/xpay-googlepay-npg.js/wp-content/plugins/cartasi-x-pay/assets/js/xpay-googlepay.js/wp-content/plugins/cartasi-x-pay/assets/js/xpay-applepay.js/wp-content/plugins/cartasi-x-pay/assets/js/xpay-build-npg.js/wp-content/plugins/cartasi-x-pay/assets/js/xpay-build.js
Script Paths
https://pay.google.com/gp/p/js/pay.jshttps://applepay.cdn-apple.com/jsapi/1.latest/apple-pay-sdk.js
Version Parameters
cartasi-x-pay/xpay.js?ver=cartasi-x-pay/xpay.css?ver=cartasi-x-pay/xpay-googlepay-npg.js?ver=cartasi-x-pay/xpay-googlepay.js?ver=cartasi-x-pay/xpay-applepay.js?ver=cartasi-x-pay/xpay-build-npg.js?ver=cartasi-x-pay/xpay-build.js?ver=

HTML / DOM Fingerprints

JS Globals
window.xpay_checkoutwindow.xpay_googlepay_npgwindow.xpay_googlepaywindow.xpay_applepaywindow.xpay_build_npgwindow.xpay_build
REST Endpoints
/wp-json/nexi-xpay/v1/s2s-notification/wp-json/nexi-xpay/v1/redirect-completion/wp-json/nexi-xpay/v1/cancel-url/wp-json/nexi-npg/v1/s2s-notification/wp-json/nexi-npg/v1/redirect-completion/wp-json/nexi-npg/v1/cancel-url
FAQ

Frequently Asked Questions about Nexi XPay