[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fQS1MmGICVzyzLE78sYdKHV7Lo8l7oCWhIKC3NiKpLC4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":9,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"source_links":40},"CVE-2025-15565","nexi-xpay-missing-authorization-to-unauthenticated-order-status-modification","Nexi XPay \u003C= 8.3.0 - Missing Authorization to Unauthenticated Order Status Modification","The Nexi XPay plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the redirect function in all versions up to, and including, 8.3.0. This makes it possible for unauthenticated attackers to mark pending WooCommerce orders as paid\u002Fcompleted.","cartasi-x-pay",null,"\u003C=8.3.0","8.3.2","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-04-14 09:14:14","2026-04-14 21:26:40",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff420151b-c783-49b1-b0e9-e936a904278a?source=api-prod",1,[22,23,24,25,26,27,28,29],"README.md","assets\u002Fjs\u002Fxpay-googlepay-npg.js","build\u002Findex_xpay_build.asset.php","build\u002Findex_xpay_build.js","client\u002Fblocks\u002Fcommons.js","client\u002Fblocks\u002Findex_xpay_applepay_button.js","client\u002Fblocks\u002Findex_xpay_build.js","client\u002Fblocks\u002Findex_xpay_googlepay_button.js","researched",false,3,"This exploitation research plan targets **CVE-2025-15565**, a missing authorization vulnerability in the **Nexi XPay** plugin for WordPress.\n\n## 1. Vulnerability Summary\nThe Nexi XPay plugin (specifically the gateway handler for WooCommerce) fails to perform adequate authorization or integrity checks on the function responsible for processing \"return\" redirects from the Nexi payment gateway. \n\nIn a standard workflow, a user is redirected to Nexi to pay and then redirected back to the merchant site with parameters indicating the outcome. The plugin should verify a Message Authentication Code (MAC) signature provided by Nexi to ensure the request is legitimate. Version 8.3.0 and below fail to enforce this check correctly or at all in specific redirect paths, allowing an unauthenticated attacker to spoof a successful payment response by crafting a GET or POST request to the callback handler.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** The standard WooCommerce API callback endpoint.\n*   **Action (Inferred):** `wc_gateway_nexi_xpay_simple_payment` or `cartasi_xpay` (registered via the `woocommerce_api_{callback}` hook).\n*   **URL Pattern:** `https:\u002F\u002Ftarget.tld\u002F?wc-api=wc_gateway_nexi_xpay_simple_payment` (or similar).\n*   **Vulnerable Parameters:** `codTrans` (the Order ID\u002FTransaction Code), `esito` (the outcome, e.g., `OK`), and `mac` (the signature, which is bypassed or missing).\n*   **Preconditions:** \n    1.  The Nexi XPay plugin must be active and configured as a payment method in WooCommerce.\n    2.  An order must exist in a \"Pending Payment\" state.\n    3.  The attacker needs to know or guess the `codTrans` (often matches the WooCommerce Order ID or a prefixed version).\n\n## 3. Code Flow\n1.  **Entry Point:** The request hits `index.php`, WordPress loads, and WooCommerce identifies the `wc-api` query parameter.\n2.  **Dispatch:** WooCommerce triggers the hook `woocommerce_api_wc_gateway_nexi_xpay_simple_payment`.\n3.  **Vulnerable Function:** The callback function (likely `check_response` or `handle_redirect` inside the gateway class) is executed.\n4.  **Input Processing:** The code extracts `$_GET['codTrans']` and `$_GET['esito']`.\n5.  **Authorization Failure:** The code checks if `esito == 'OK'` but fails to validate the `mac` parameter against the shared secret (Alias\u002FMAC Key).\n6.  **Sink:** The code calls `$order->payment_complete()` or `$order->update_status('processing')`, marking the order as paid.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability resides in a **Webhook\u002FAPI callback** intended for server-to-server or cross-site communication. \n*   **Nonce Requirement:** **None.** WooCommerce `wc-api` handlers do not use WordPress nonces because they must be accessible to external payment gateways (Nexi).\n*   **Authorization:** The \"Authorization\" should be the `mac` parameter, which the description confirms is missing or not checked.\n\n## 5. Exploitation Strategy\nThe goal is to move a \"Pending\" order to \"Processing\u002FCompleted\" without actual payment.\n\n### Step 1: Identify Order ID\nAn attacker would first place a legitimate order as a guest\u002Fcustomer to identify the `codTrans` format. Usually, it is just the Order ID.\n\n### Step 2: Craft Spoofed Redirect\nConstruct an HTTP request to the callback URL.\n\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002F?wc-api=wc_gateway_nexi_xpay_simple_payment`\n*   **Method:** GET\n*   **Parameters:**\n    *   `esito`: `OK` (Signal success)\n    *   `codTrans`: `[ORDER_ID]` (The target order)\n    *   `mac`: `anyvalue` (Or omitted, since the check is missing)\n\n### Step 3: Execution via `http_request`\n```javascript\n\u002F\u002F PoC logic to be run by the agent\nawait http_request({\n    url: \"http:\u002F\u002Flocalhost:8080\u002F?wc-api=wc_gateway_nexi_xpay_simple_payment&esito=OK&codTrans=123\",\n    method: \"GET\"\n});\n```\n\n## 6. Test Data Setup\n1.  **Install & Activate:** Nexi XPay (cartasi-x-pay) \u003C= 8.3.0 and WooCommerce.\n2.  **Gateway Config:** \n    *   Enable \"Nexi XPay\" in WooCommerce > Settings > Payments.\n    *   Enter dummy values for \"Alias\" and \"MAC Key\" (necessary to initialize the gateway).\n3.  **Create Order:**\n    *   As a guest user, add a product to the cart.\n    *   Proceed to checkout.\n    *   Select \"Nexi XPay\" as the payment method.\n    *   Click \"Place Order\". This will create an order in \"Pending Payment\" status.\n4.  **Capture Order ID:** Use `wp-cli` to find the latest order ID: `wp wc order list --status=pending --format=ids`.\n\n## 7. Expected Results\n*   **Before Attack:** Order status is `pending`.\n*   **During Attack:** The HTTP request to the callback URL returns a `200 OK` or a redirect to the \"Thank You\" page.\n*   **After Attack:** The Order status is changed to `processing` or `completed`.\n\n## 8. Verification Steps\nAfter sending the request, verify the status via WP-CLI:\n```bash\nwp wc order get [ORDER_ID] --fields=status --format=json\n```\nSuccess is confirmed if the status is `processing` or `completed`.\n\n## 9. Alternative Approaches\nIf the `wc-api` slug differs, check the source code for the hook registration:\n1.  Search for `add_action( 'woocommerce_api_` in the plugin directory.\n2.  The string following `woocommerce_api_` is the value needed for the `wc-api` query parameter.\n3.  Common alternatives: `wc_gateway_nexi`, `nexi_xpay_return`, `cartasi_xpay_callback`.\n\nIf the plugin uses a POST request for the notification (IPN style), change the `http_request` method to `POST` and pass parameters in the body. The vulnerability description mentions \"redirect function,\" strongly suggesting `GET` via the user's browser redirect.","The Nexi XPay plugin for WordPress is vulnerable to unauthorized order status modification due to a lack of signature verification in its payment redirect handler. Unauthenticated attackers can exploit this by spoofing payment confirmation requests to the WooCommerce API callback endpoint, allowing them to mark pending orders as paid without actual financial transactions.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcartasi-x-pay\u002F8.3.1\u002Fassets\u002Fjs\u002Fxpay-googlepay-npg.js \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcartasi-x-pay\u002F8.3.2\u002Fassets\u002Fjs\u002Fxpay-googlepay-npg.js\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcartasi-x-pay\u002F8.3.1\u002Fassets\u002Fjs\u002Fxpay-googlepay-npg.js\t2026-03-05 09:00:30.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcartasi-x-pay\u002F8.3.2\u002Fassets\u002Fjs\u002Fxpay-googlepay-npg.js\t2026-04-07 14:47:28.000000000 +0000\n@@ -192,4 +192,4 @@\n             loadGooglePayButton();\n         }\n     }, 500);\n-});\n\\ No newline at end of file\n+});\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcartasi-x-pay\u002F8.3.1\u002Fbuild\u002Findex_xpay_build.asset.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcartasi-x-pay\u002F8.3.2\u002Fbuild\u002Findex_xpay_build.asset.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcartasi-x-pay\u002F8.3.1\u002Fbuild\u002Findex_xpay_build.asset.php\t2026-03-05 09:00:30.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcartasi-x-pay\u002F8.3.2\u002Fbuild\u002Findex_xpay_build.asset.php\t2026-04-07 14:47:28.000000000 +0000\n@@ -1 +1 @@\n-\u003C?php return array('dependencies' => array('jquery', 'lodash', 'react', 'wc-blocks-registry', 'wp-i18n', 'wp-polyfill'), 'version' => '369508ac78003c291513');\n+\u003C?php return array('dependencies' => array('jquery', 'react', 'wc-blocks-registry', 'wp-i18n', 'wp-polyfill'), 'version' => '03dff507f0562b6d2110');","The exploit involves spoofing a server-to-server or browser-redirect notification from the Nexi payment gateway to the merchant's site. \n\n1. Identify a target Order ID in WooCommerce that is currently in 'Pending Payment' status.\n2. Target the WooCommerce API callback endpoint registered by the plugin, typically: `\u002F?wc-api=wc_gateway_nexi_xpay_simple_payment` (or similar, depending on the specific gateway module configuration).\n3. Construct a GET or POST request to this endpoint containing the target order identifier (`codTrans`) and a successful outcome code (`esito=OK`).\n4. Omit or provide any arbitrary value for the `mac` parameter. Because the vulnerable versions fail to validate the Message Authentication Code (MAC) signature against the shared secret, the plugin accepts the spoofed response as legitimate.\n5. The order status is automatically updated to 'Processing' or 'Completed' in the WooCommerce backend, fulfilling the order without payment.\n6. No authentication or valid WordPress nonces are required to hit this endpoint.","gemini-3-flash-preview","2026-04-16 15:51:28","2026-04-16 15:51:51",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","8.3.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcartasi-x-pay\u002Ftags\u002F8.3.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcartasi-x-pay.8.3.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcartasi-x-pay\u002Ftags\u002F8.3.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcartasi-x-pay.8.3.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcartasi-x-pay\u002Ftags"]