Does Nexi XPay Build have any unpatched vulnerabilities?

No. All known vulnerabilities in Nexi XPay Build have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Nexi XPay Build compatible with WordPress 6.8.5?

According to WordPress.org data, Nexi XPay Build 7.6.2 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

How often is Nexi XPay Build updated?

Nexi XPay Build was last updated on Aug 1, 2025. Frequent updates are generally a positive security signal.

What is Nexi XPay Build's security score?

Nexi XPay Build has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Nexi XPay Build Security & Risk Analysis

wordpress.org/plugins/nexi-xpay-build

XPay is the payment gateway provided by Nexi, a leading group in Italy with the goal of shaping the future of digital payments.

100 active installs v7.6.2 PHP + WP 4.6+ Updated Aug 1, 2025

e-commercenexinexi-paymentspayment-gatewayxpay

A · Safe

CVEs total0

Unpatched0

Last CVENever

Download

Safety Verdict

Is Nexi XPay Build Safe to Use in 2026?

Generally Safe

Score 100/100

Nexi XPay Build has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 8mo ago

Risk Assessment

The "nexi-xpay-build" v7.6.2 plugin exhibits a significant security concern due to a large, unprotected attack surface. While the plugin demonstrates good practices in its handling of SQL queries by exclusively using prepared statements and avoids dangerous functions, its implementation of AJAX handlers and REST API routes is highly insecure. A concerning 12 out of 13 total entry points lack authentication or permission checks, exposing them to potential unauthorized access and manipulation. Furthermore, the low percentage of properly escaped output suggests a substantial risk of Cross-Site Scripting (XSS) vulnerabilities, as user-supplied data may be rendered without sufficient sanitization.

The plugin's taint analysis indicates one flow with unsanitized paths, although it was not classified as critical or high severity. This, combined with the absence of any recorded vulnerabilities (CVEs) and lack of nonce checks, might suggest that current exploit vectors are limited or undiscovered. However, the fundamental weaknesses in its access control for entry points present a broad and easily exploitable attack surface that could be leveraged in conjunction with other, potentially subtle, vulnerabilities. The plugin's strengths lie in its database query security and lack of known historical exploits, but its extensive unprotected entry points and poor output escaping are critical security deficiencies that need immediate attention.

Key Concerns

Unprotected AJAX handlers
Unprotected REST API routes
Low percentage of properly escaped output
Flow with unsanitized paths (taint analysis)
No nonce checks

Vulnerabilities

None known

Nexi XPay Build Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

Nexi XPay Build Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

130

62 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

32% escaped192 total outputs

Data Flows

1 unsanitized

Data Flow Analysis

1 flows1 with unsanitized paths

<WC_Gateway_NPG_Cards> (src\classes\Nexi\WC_Gateway_NPG_Cards.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

12 unprotected

Nexi XPay Build Attack Surface

Entry Points13

Unprotected12

AJAX Handlers 6

authwp_ajax_calc_installmentssrc\classes\Nexi\WC_Pagodil_Widget.php:21

noprivwp_ajax_calc_installmentssrc\classes\Nexi\WC_Pagodil_Widget.php:22

authwp_ajax_get_build_fieldswoocommerce-gateway-nexi-xpay.php:101

noprivwp_ajax_get_build_fieldswoocommerce-gateway-nexi-xpay.php:102

authwp_ajax_build_payment_payloadwoocommerce-gateway-nexi-xpay.php:104

noprivwp_ajax_build_payment_payloadwoocommerce-gateway-nexi-xpay.php:105

REST API Routes 7

POST/wp-json/woocommerce-gateway-nexi-xpay/s2s/npg/(?P<id>\d+)src\classes\Nexi\WC_Gateway_NPG_Process_Completion.php:21

GET/wp-json/woocommerce-gateway-nexi-xpay/redirect/npg/(?P<id>\d+)src\classes\Nexi\WC_Gateway_NPG_Process_Completion.php:34

GET/wp-json/woocommerce-gateway-nexi-xpay/cancel/npg/(?P<id>\d+)src\classes\Nexi\WC_Gateway_NPG_Process_Completion.php:47

GET/wp-json/woocommerce-gateway-nexi-xpay/process_account/npg/(?P<id>\d+)src\classes\Nexi\WC_Gateway_NPG_Process_Completion.php:60

POST/wp-json/woocommerce-gateway-nexi-xpay/s2s/xpay/(?P<id>\d+)src\classes\Nexi\WC_Gateway_XPay_Process_Completion.php:21

GET/wp-json/woocommerce-gateway-nexi-xpay/redirect/xpay/(?P<id>\d+)src\classes\Nexi\WC_Gateway_XPay_Process_Completion.php:34

GET/wp-json/woocommerce-gateway-nexi-xpay/cancel/xpay/(?P<id>\d+)src\classes\Nexi\WC_Gateway_XPay_Process_Completion.php:47

WordPress Hooks 30

actionadd_meta_boxessrc\classes\Nexi\WC_Admin_Page.php:23

actionadmin_noticessrc\classes\Nexi\WC_Gateway_Admin.php:98

actionadmin_noticessrc\classes\Nexi\WC_Gateway_Admin.php:114

filterwoocommerce_saved_payment_methods_listsrc\classes\Nexi\WC_Gateway_NPG_Cards.php:31

filterwoocommerce_saved_payment_methods_listsrc\classes\Nexi\WC_Gateway_NPG_Cards_Build.php:33

filterwoocommerce_saved_payment_methods_listsrc\classes\Nexi\WC_Gateway_XPay_Cards.php:61

filterwoocommerce_saved_payment_methods_listsrc\classes\Nexi\WC_Gateway_XPay_Cards_Build.php:53

actionwp_headsrc\classes\Nexi\WC_Pagodil_Widget.php:25

actionwoocommerce_before_add_to_cart_buttonsrc\classes\Nexi\WC_Pagodil_Widget.php:28

actionwoocommerce_after_shop_loop_item_titlesrc\classes\Nexi\WC_Pagodil_Widget.php:31

actionwoocommerce_proceed_to_checkoutsrc\classes\Nexi\WC_Pagodil_Widget.php:34

actionwoocommerce_review_order_before_paymentsrc\classes\Nexi\WC_Pagodil_Widget.php:37

actionwoocommerce_checkout_update_order_metasrc\classes\Nexi\WC_Pagodil_Widget.php:40

actionplugins_loadedwoocommerce-gateway-nexi-xpay.php:26

filterwoocommerce_payment_gatewayswoocommerce-gateway-nexi-xpay.php:93

actionrest_api_initwoocommerce-gateway-nexi-xpay.php:96

actionrest_api_initwoocommerce-gateway-nexi-xpay.php:97

actionadmin_initwoocommerce-gateway-nexi-xpay.php:123

actionwp_enqueue_scriptswoocommerce-gateway-nexi-xpay.php:125

actionwp_nexi_pollingwoocommerce-gateway-nexi-xpay.php:144

actionwp_nexi_update_npg_payment_methodswoocommerce-gateway-nexi-xpay.php:216

filtercron_scheduleswoocommerce-gateway-nexi-xpay.php:244

actioninitwoocommerce-gateway-nexi-xpay.php:303

filterwc_order_statuseswoocommerce-gateway-nexi-xpay.php:305

filterwoocommerce_valid_order_statuses_for_payment_completewoocommerce-gateway-nexi-xpay.php:307

actionwoocommerce_payment_token_deletedwoocommerce-gateway-nexi-xpay.php:309

actionadmin_noticeswoocommerce-gateway-nexi-xpay.php:324

actionbefore_woocommerce_initwoocommerce-gateway-nexi-xpay.php:328

actionwoocommerce_blocks_loadedwoocommerce-gateway-nexi-xpay.php:338

actionwoocommerce_blocks_payment_method_type_registrationwoocommerce-gateway-nexi-xpay.php:343

Scheduled Events 2

wp_nexi_polling

wp_nexi_update_npg_payment_methods

Maintenance & Trust

Nexi XPay Build Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedAug 1, 2025

PHP min version

Downloads7K

Community Trust

Rating0/100

Number of ratings0

Active installs100

Alternatives

Nexi XPay Build Alternatives

Nexi XPay

cartasi-x-pay

100

XPay is the payment gateway provided by Nexi, a leading group in Italy with the goal of shaping the future of digital payments.

6K No CVEs

Instamojo for WooCommerce

woo-instamojo

Sell & collect payments instantly for almost anything -- directly from your WordPress website.

5K No CVEs

Up2pay e-Transactions WooCommerce Payment Gateway

e-transactions-wc

100

This plugin is a Up2pay e-Transactions payment gateway for WooCommerce 4.x

4K No CVEs

HyperPay Payments

hyperpay-gateways

100

Payments Gateways provided by Gate2Play, to make you able to add Credit Card, Mada, STCpay and more payments method.

600 No CVEs

Paybox WooCommerce Payment Gateway

paybox-woocommerce-gateway

100

This plugin is a Paybox payment gateway for WooCommerce 4.x

500 No CVEs

Developer Profile

Nexi XPay Build Developer Profile

Nexi Payments

2 plugins · 6K total installs

trust score

Avg Security Score

100/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Nexi XPay Build

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/nexi-xpay-build/assets/js/xpay-build-npg.js/wp-content/plugins/nexi-xpay-build/assets/js/xpay-build.js/wp-content/plugins/nexi-xpay-build/assets/js/xpay.js/wp-content/plugins/nexi-xpay-build/assets/css/xpay.css

Script Paths

assets/js/xpay.jsassets/js/xpay-build-npg.jsassets/js/xpay-build.js

Version Parameters

nexi-xpay-build/assets/js/xpay.js?ver=nexi-xpay-build/assets/css/xpay.css?ver=nexi-xpay-build/assets/js/xpay-build-npg.js?ver=nexi-xpay-build/assets/js/xpay-build.js?ver=

HTML / DOM Fingerprints

Data Attributes

data-payment-method="xpay_build"

JS Globals

window.Nexi_Xpay_Build_Params

REST Endpoints

/wp-json/nexi/v1/s2s/xpay/wp-json/nexi/v1/s2s/npg

FAQ