Nexi XPay <= 8.3.1 - Missing Authorization
Description
The Nexi XPay plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 8.3.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2026-54810 (Nexi XPay) ## 1. Vulnerability Summary **CVE-2026-54810** is a Missing Authorization vulnerability in the Nexi XPay (cartasi-x-pay) plugin for WordPress (versions <= 8.3.1). The vulnerability arises because a specific AJAX handler, registered via `wp_aj…
Show full research plan
Exploitation Research Plan: CVE-2026-54810 (Nexi XPay)
1. Vulnerability Summary
CVE-2026-54810 is a Missing Authorization vulnerability in the Nexi XPay (cartasi-x-pay) plugin for WordPress (versions <= 8.3.1). The vulnerability arises because a specific AJAX handler, registered via wp_ajax_nopriv_, performs a sensitive action (likely related to configuration or transaction state) without verifying the user's capabilities (e.g., current_user_can('manage_options')). This allows unauthenticated attackers to trigger the function and modify plugin behavior or data.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action: To be determined via code audit, but likely related to
nexi_orcartasi_prefixes (e.g.,wp_ajax_nopriv_nexi_xpay_save_settingsorwp_ajax_nopriv_xpay_update_status). - Authentication: None required (unauthenticated via
noprivhook). - Preconditions: Plugin must be active. A valid WordPress nonce may be required if
check_ajax_refereris present, but given the "Missing Authorization" nature, the primary flaw is the lack of capability checks.
3. Code Flow Analysis
The agent must trace the following path:
- Entry Point: Search for registration of unauthenticated AJAX hooks:
grep -rn "wp_ajax_nopriv_" wp-content/plugins/cartasi-x-pay/ - Handler Identification: Identify the callback function associated with the
noprivhook. (e.g.,add_action( 'wp_ajax_nopriv_[ACTION]', '[CALLBACK]' );). - Sink Analysis: Inspect the
[CALLBACK]function. Look for:- Missing:
current_user_can( ... )checks. - Action: Use of
update_option(),$wpdb->update(), or functions that change payment gateway settings (API keys, terminal IDs, etc.).
- Missing:
- Parameter Mapping: Identify which
$_POSTor$_REQUESTparameters are used within the sink to determine the exploit payload.
4. Nonce Acquisition Strategy
If the handler uses check_ajax_referer( 'some_action', 'security' ), the agent must retrieve a valid nonce.
- Find Nonce Source: Search for where the nonce is created:
grep -rn "wp_create_nonce" wp-content/plugins/cartasi-x-pay/ - Identify Localization: Look for
wp_localize_scriptcalls that pass this nonce to the frontend.- Example:
wp_localize_script( 'nexi-js', 'NexiParams', array( 'nonce' => wp_create_nonce('nexi_action') ) );
- Example:
- Extraction via Browser:
- Identify the shortcode or page where the plugin script loads (e.g., a checkout page or a settings page).
- Create a test page:
wp post create --post_type=page --post_status=publish --post_content='[nexi_xpay_shortcode]'(inferred). - Navigate to the page and extract the nonce:
browser_eval("window.NexiParams?.nonce")(inferred - replace with actual JS object and key).
5. Exploitation Strategy
Once the action and parameters are identified, use the http_request tool:
Request Details:
- Method: POST
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action=[VULNERABLE_ACTION]& security=[NONCE_IF_REQUIRED]& [PARAM_1]=[MALICIOUS_VALUE]& [PARAM_2]=[MALICIOUS_VALUE]
Example Payload (Inferred):
If the vulnerability allows updating the terminal ID:action=nexi_xpay_update_settings&terminal_id=12345&security=abc123def4
6. Test Data Setup
- Install and activate Nexi XPay <= 8.3.1.
- Ensure the plugin is configured with a "dummy" Terminal ID via the admin UI (to verify it changes later).
- If a shortcode is needed for nonce extraction, identify it:
grep -rn "add_shortcode" wp-content/plugins/cartasi-x-pay/ - Create a public page with that shortcode.
7. Expected Results
- HTTP Response: A
200 OKresponse, potentially containing{"success":true}or a1(typical for successful AJAX). - State Change: The targeted setting (e.g., Terminal ID, Secret Key, or Order Status) is updated in the database without administrative intervention.
8. Verification Steps
After the HTTP request, use WP-CLI to confirm the change:
- Check Options: If the exploit targeted an option:
wp option get [OPTION_NAME] - Check Database: If the exploit targeted a custom table:
wp db query "SELECT * FROM wp_nexi_xpay_settings WHERE ..." --size=csv
9. Alternative Approaches
- If
noprivis missing: Check if the vulnerability is actuallywp_ajax_(authenticated) but allows Subscriber level users to perform admin actions (Missing Authorization for low-privilege users). - REST API: Check if the plugin registers REST routes with
register_rest_routeand uses__return_truefor thepermission_callback.grep -rn "register_rest_route" wp-content/plugins/cartasi-x-pay/ -A 5
Summary
The Nexi XPay plugin for WordPress is vulnerable to unauthorized access in versions up to 8.3.1 due to a missing capability check on an AJAX handler. This allows unauthenticated attackers to execute sensitive functions, such as modifying plugin settings or terminal configurations, by targeting actions registered via the wp_ajax_nopriv_ hook.
Security Fix
@@ -10,5 +10,9 @@ function nexi_xpay_process_ajax() { + if ( ! current_user_can( 'manage_options' ) ) { + wp_die( 'Unauthorized', 403 ); + } + // Processing logic for sensitive plugin settings
Exploit Outline
The exploit involves sending a POST request to /wp-admin/admin-ajax.php with an 'action' parameter linked to a 'wp_ajax_nopriv_' hook. Since the handler lacks a 'current_user_can' check, unauthenticated attackers can pass parameters in the POST body to modify plugin settings (such as Terminal IDs or API keys). If a security nonce is required, it can be obtained by inspecting the site's frontend source code for localized JavaScript objects containing the nonce.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.