CVE-2026-54810

Nexi XPay <= 8.3.1 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
8.3.2
Patched in
7d
Time to patch

Description

The Nexi XPay plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 8.3.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=8.3.1
PublishedJune 17, 2026
Last updatedJune 23, 2026
Affected plugincartasi-x-pay

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-54810 (Nexi XPay) ## 1. Vulnerability Summary **CVE-2026-54810** is a Missing Authorization vulnerability in the Nexi XPay (cartasi-x-pay) plugin for WordPress (versions <= 8.3.1). The vulnerability arises because a specific AJAX handler, registered via `wp_aj…

Show full research plan

Exploitation Research Plan: CVE-2026-54810 (Nexi XPay)

1. Vulnerability Summary

CVE-2026-54810 is a Missing Authorization vulnerability in the Nexi XPay (cartasi-x-pay) plugin for WordPress (versions <= 8.3.1). The vulnerability arises because a specific AJAX handler, registered via wp_ajax_nopriv_, performs a sensitive action (likely related to configuration or transaction state) without verifying the user's capabilities (e.g., current_user_can('manage_options')). This allows unauthenticated attackers to trigger the function and modify plugin behavior or data.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: To be determined via code audit, but likely related to nexi_ or cartasi_ prefixes (e.g., wp_ajax_nopriv_nexi_xpay_save_settings or wp_ajax_nopriv_xpay_update_status).
  • Authentication: None required (unauthenticated via nopriv hook).
  • Preconditions: Plugin must be active. A valid WordPress nonce may be required if check_ajax_referer is present, but given the "Missing Authorization" nature, the primary flaw is the lack of capability checks.

3. Code Flow Analysis

The agent must trace the following path:

  1. Entry Point: Search for registration of unauthenticated AJAX hooks:
    grep -rn "wp_ajax_nopriv_" wp-content/plugins/cartasi-x-pay/
  2. Handler Identification: Identify the callback function associated with the nopriv hook. (e.g., add_action( 'wp_ajax_nopriv_[ACTION]', '[CALLBACK]' );).
  3. Sink Analysis: Inspect the [CALLBACK] function. Look for:
    • Missing: current_user_can( ... ) checks.
    • Action: Use of update_option(), $wpdb->update(), or functions that change payment gateway settings (API keys, terminal IDs, etc.).
  4. Parameter Mapping: Identify which $_POST or $_REQUEST parameters are used within the sink to determine the exploit payload.

4. Nonce Acquisition Strategy

If the handler uses check_ajax_referer( 'some_action', 'security' ), the agent must retrieve a valid nonce.

  1. Find Nonce Source: Search for where the nonce is created:
    grep -rn "wp_create_nonce" wp-content/plugins/cartasi-x-pay/
  2. Identify Localization: Look for wp_localize_script calls that pass this nonce to the frontend.
    • Example: wp_localize_script( 'nexi-js', 'NexiParams', array( 'nonce' => wp_create_nonce('nexi_action') ) );
  3. Extraction via Browser:
    • Identify the shortcode or page where the plugin script loads (e.g., a checkout page or a settings page).
    • Create a test page: wp post create --post_type=page --post_status=publish --post_content='[nexi_xpay_shortcode]' (inferred).
    • Navigate to the page and extract the nonce:
      browser_eval("window.NexiParams?.nonce") (inferred - replace with actual JS object and key).

5. Exploitation Strategy

Once the action and parameters are identified, use the http_request tool:

Request Details:

  • Method: POST
  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=[VULNERABLE_ACTION]&
    security=[NONCE_IF_REQUIRED]&
    [PARAM_1]=[MALICIOUS_VALUE]&
    [PARAM_2]=[MALICIOUS_VALUE]
    

Example Payload (Inferred):
If the vulnerability allows updating the terminal ID:
action=nexi_xpay_update_settings&terminal_id=12345&security=abc123def4

6. Test Data Setup

  1. Install and activate Nexi XPay <= 8.3.1.
  2. Ensure the plugin is configured with a "dummy" Terminal ID via the admin UI (to verify it changes later).
  3. If a shortcode is needed for nonce extraction, identify it:
    grep -rn "add_shortcode" wp-content/plugins/cartasi-x-pay/
  4. Create a public page with that shortcode.

7. Expected Results

  • HTTP Response: A 200 OK response, potentially containing {"success":true} or a 1 (typical for successful AJAX).
  • State Change: The targeted setting (e.g., Terminal ID, Secret Key, or Order Status) is updated in the database without administrative intervention.

8. Verification Steps

After the HTTP request, use WP-CLI to confirm the change:

  1. Check Options: If the exploit targeted an option:
    wp option get [OPTION_NAME]
  2. Check Database: If the exploit targeted a custom table:
    wp db query "SELECT * FROM wp_nexi_xpay_settings WHERE ..." --size=csv

9. Alternative Approaches

  • If nopriv is missing: Check if the vulnerability is actually wp_ajax_ (authenticated) but allows Subscriber level users to perform admin actions (Missing Authorization for low-privilege users).
  • REST API: Check if the plugin registers REST routes with register_rest_route and uses __return_true for the permission_callback.
    grep -rn "register_rest_route" wp-content/plugins/cartasi-x-pay/ -A 5
Research Findings
Static analysis — not yet PoC-verified

Summary

The Nexi XPay plugin for WordPress is vulnerable to unauthorized access in versions up to 8.3.1 due to a missing capability check on an AJAX handler. This allows unauthenticated attackers to execute sensitive functions, such as modifying plugin settings or terminal configurations, by targeting actions registered via the wp_ajax_nopriv_ hook.

Security Fix

--- a/wp-content/plugins/cartasi-x-pay/includes/ajax-handler.php
+++ b/wp-content/plugins/cartasi-x-pay/includes/ajax-handler.php
@@ -10,5 +10,9 @@
 function nexi_xpay_process_ajax() {
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_die( 'Unauthorized', 403 );
+    }
+
     // Processing logic for sensitive plugin settings

Exploit Outline

The exploit involves sending a POST request to /wp-admin/admin-ajax.php with an 'action' parameter linked to a 'wp_ajax_nopriv_' hook. Since the handler lacks a 'current_user_can' check, unauthenticated attackers can pass parameters in the POST body to modify plugin settings (such as Terminal IDs or API keys). If a security nonce is required, it can be obtained by inspecting the site's frontend source code for localized JavaScript objects containing the nonce.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.