WP-Safety
CVE-2025-15565

Nexi XPay <= 8.3.0 - Missing Authorization to Unauthenticated Order Status Modification

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
8.3.2
Patched in
1d
Time to patch

Description

The Nexi XPay plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the redirect function in all versions up to, and including, 8.3.0. This makes it possible for unauthenticated attackers to mark pending WooCommerce orders as paid/completed.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=8.3.0
PublishedApril 14, 2026
Last updatedApril 14, 2026
Affected plugincartasi-x-pay

What Changed in the Fix

Changes introduced in v8.3.2

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v8.3.1
Browse source Download .zip
Patched v8.3.2
Browse source Download .zip
Research Plan
Unverified

This exploitation research plan targets **CVE-2025-15565**, a missing authorization vulnerability in the **Nexi XPay** plugin for WordPress. ## 1. Vulnerability Summary The Nexi XPay plugin (specifically the gateway handler for WooCommerce) fails to perform adequate authorization or integrity check…

Show full research plan

This exploitation research plan targets CVE-2025-15565, a missing authorization vulnerability in the Nexi XPay plugin for WordPress.

1. Vulnerability Summary

The Nexi XPay plugin (specifically the gateway handler for WooCommerce) fails to perform adequate authorization or integrity checks on the function responsible for processing "return" redirects from the Nexi payment gateway.

In a standard workflow, a user is redirected to Nexi to pay and then redirected back to the merchant site with parameters indicating the outcome. The plugin should verify a Message Authentication Code (MAC) signature provided by Nexi to ensure the request is legitimate. Version 8.3.0 and below fail to enforce this check correctly or at all in specific redirect paths, allowing an unauthenticated attacker to spoof a successful payment response by crafting a GET or POST request to the callback handler.

2. Attack Vector Analysis

  • Endpoint: The standard WooCommerce API callback endpoint.
  • Action (Inferred): wc_gateway_nexi_xpay_simple_payment or cartasi_xpay (registered via the woocommerce_api_{callback} hook).
  • URL Pattern: https://target.tld/?wc-api=wc_gateway_nexi_xpay_simple_payment (or similar).
  • Vulnerable Parameters: codTrans (the Order ID/Transaction Code), esito (the outcome, e.g., OK), and mac (the signature, which is bypassed or missing).
  • Preconditions:
    1. The Nexi XPay plugin must be active and configured as a payment method in WooCommerce.
    2. An order must exist in a "Pending Payment" state.
    3. The attacker needs to know or guess the codTrans (often matches the WooCommerce Order ID or a prefixed version).

3. Code Flow

  1. Entry Point: The request hits index.php, WordPress loads, and WooCommerce identifies the wc-api query parameter.
  2. Dispatch: WooCommerce triggers the hook woocommerce_api_wc_gateway_nexi_xpay_simple_payment.
  3. Vulnerable Function: The callback function (likely check_response or handle_redirect inside the gateway class) is executed.
  4. Input Processing: The code extracts $_GET['codTrans'] and $_GET['esito'].
  5. Authorization Failure: The code checks if esito == 'OK' but fails to validate the mac parameter against the shared secret (Alias/MAC Key).
  6. Sink: The code calls $order->payment_complete() or $order->update_status('processing'), marking the order as paid.

4. Nonce Acquisition Strategy

This vulnerability resides in a Webhook/API callback intended for server-to-server or cross-site communication.

  • Nonce Requirement: None. WooCommerce wc-api handlers do not use WordPress nonces because they must be accessible to external payment gateways (Nexi).
  • Authorization: The "Authorization" should be the mac parameter, which the description confirms is missing or not checked.

5. Exploitation Strategy

The goal is to move a "Pending" order to "Processing/Completed" without actual payment.

Step 1: Identify Order ID

An attacker would first place a legitimate order as a guest/customer to identify the codTrans format. Usually, it is just the Order ID.

Step 2: Craft Spoofed Redirect

Construct an HTTP request to the callback URL.

  • URL: http://localhost:8080/?wc-api=wc_gateway_nexi_xpay_simple_payment
  • Method: GET
  • Parameters:
    • esito: OK (Signal success)
    • codTrans: [ORDER_ID] (The target order)
    • mac: anyvalue (Or omitted, since the check is missing)

Step 3: Execution via http_request

// PoC logic to be run by the agent
await http_request({
    url: "http://localhost:8080/?wc-api=wc_gateway_nexi_xpay_simple_payment&esito=OK&codTrans=123",
    method: "GET"
});

6. Test Data Setup

  1. Install & Activate: Nexi XPay (cartasi-x-pay) <= 8.3.0 and WooCommerce.
  2. Gateway Config:
    • Enable "Nexi XPay" in WooCommerce > Settings > Payments.
    • Enter dummy values for "Alias" and "MAC Key" (necessary to initialize the gateway).
  3. Create Order:
    • As a guest user, add a product to the cart.
    • Proceed to checkout.
    • Select "Nexi XPay" as the payment method.
    • Click "Place Order". This will create an order in "Pending Payment" status.
  4. Capture Order ID: Use wp-cli to find the latest order ID: wp wc order list --status=pending --format=ids.

7. Expected Results

  • Before Attack: Order status is pending.
  • During Attack: The HTTP request to the callback URL returns a 200 OK or a redirect to the "Thank You" page.
  • After Attack: The Order status is changed to processing or completed.

8. Verification Steps

After sending the request, verify the status via WP-CLI:

wp wc order get [ORDER_ID] --fields=status --format=json

Success is confirmed if the status is processing or completed.

9. Alternative Approaches

If the wc-api slug differs, check the source code for the hook registration:

  1. Search for add_action( 'woocommerce_api_ in the plugin directory.
  2. The string following woocommerce_api_ is the value needed for the wc-api query parameter.
  3. Common alternatives: wc_gateway_nexi, nexi_xpay_return, cartasi_xpay_callback.

If the plugin uses a POST request for the notification (IPN style), change the http_request method to POST and pass parameters in the body. The vulnerability description mentions "redirect function," strongly suggesting GET via the user's browser redirect.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Nexi XPay plugin for WordPress is vulnerable to unauthorized order status modification due to a lack of signature verification in its payment redirect handler. Unauthenticated attackers can exploit this by spoofing payment confirmation requests to the WooCommerce API callback endpoint, allowing them to mark pending orders as paid without actual financial transactions.

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/cartasi-x-pay/8.3.1/assets/js/xpay-googlepay-npg.js /home/deploy/wp-safety.org/data/plugin-versions/cartasi-x-pay/8.3.2/assets/js/xpay-googlepay-npg.js
--- /home/deploy/wp-safety.org/data/plugin-versions/cartasi-x-pay/8.3.1/assets/js/xpay-googlepay-npg.js	2026-03-05 09:00:30.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/cartasi-x-pay/8.3.2/assets/js/xpay-googlepay-npg.js	2026-04-07 14:47:28.000000000 +0000
@@ -192,4 +192,4 @@
             loadGooglePayButton();
         }
     }, 500);
-});
\ No newline at end of file
+});
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/cartasi-x-pay/8.3.1/build/index_xpay_build.asset.php /home/deploy/wp-safety.org/data/plugin-versions/cartasi-x-pay/8.3.2/build/index_xpay_build.asset.php
--- /home/deploy/wp-safety.org/data/plugin-versions/cartasi-x-pay/8.3.1/build/index_xpay_build.asset.php	2026-03-05 09:00:30.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/cartasi-x-pay/8.3.2/build/index_xpay_build.asset.php	2026-04-07 14:47:28.000000000 +0000
@@ -1 +1 @@
-<?php return array('dependencies' => array('jquery', 'lodash', 'react', 'wc-blocks-registry', 'wp-i18n', 'wp-polyfill'), 'version' => '369508ac78003c291513');
+<?php return array('dependencies' => array('jquery', 'react', 'wc-blocks-registry', 'wp-i18n', 'wp-polyfill'), 'version' => '03dff507f0562b6d2110');

Exploit Outline

The exploit involves spoofing a server-to-server or browser-redirect notification from the Nexi payment gateway to the merchant's site. 1. Identify a target Order ID in WooCommerce that is currently in 'Pending Payment' status. 2. Target the WooCommerce API callback endpoint registered by the plugin, typically: `/?wc-api=wc_gateway_nexi_xpay_simple_payment` (or similar, depending on the specific gateway module configuration). 3. Construct a GET or POST request to this endpoint containing the target order identifier (`codTrans`) and a successful outcome code (`esito=OK`). 4. Omit or provide any arbitrary value for the `mac` parameter. Because the vulnerable versions fail to validate the Message Authentication Code (MAC) signature against the shared secret, the plugin accepts the spoofed response as legitimate. 5. The order status is automatically updated to 'Processing' or 'Completed' in the WooCommerce backend, fulfilling the order without payment. 6. No authentication or valid WordPress nonces are required to hit this endpoint.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/f420151b-c783-49b1-b0e9-e936a904278a?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database