[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f_ziLiJxWx3p6_xGYYy6mz0uPI4sz_VjnvpMI6jY4oWM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":27,"research_exploit_outline":28,"research_model_used":29,"research_started_at":30,"research_completed_at":31,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":32},"CVE-2026-54810","nexi-xpay-missing-authorization","Nexi XPay \u003C= 8.3.1 - Missing Authorization","The Nexi XPay plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 8.3.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.","cartasi-x-pay",null,"\u003C=8.3.1","8.3.2","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-06-17 00:00:00","2026-06-23 15:42:51",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F97e9c99f-e143-42db-a02a-1467276e32b1?source=api-prod",7,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-54810 (Nexi XPay)\n\n## 1. Vulnerability Summary\n**CVE-2026-54810** is a Missing Authorization vulnerability in the Nexi XPay (cartasi-x-pay) plugin for WordPress (versions \u003C= 8.3.1). The vulnerability arises because a specific AJAX handler, registered via `wp_ajax_nopriv_`, performs a sensitive action (likely related to configuration or transaction state) without verifying the user's capabilities (e.g., `current_user_can('manage_options')`). This allows unauthenticated attackers to trigger the function and modify plugin behavior or data.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** To be determined via code audit, but likely related to `nexi_` or `cartasi_` prefixes (e.g., `wp_ajax_nopriv_nexi_xpay_save_settings` or `wp_ajax_nopriv_xpay_update_status`).\n*   **Authentication:** None required (unauthenticated via `nopriv` hook).\n*   **Preconditions:** Plugin must be active. A valid WordPress nonce may be required if `check_ajax_referer` is present, but given the \"Missing Authorization\" nature, the primary flaw is the lack of capability checks.\n\n## 3. Code Flow Analysis\nThe agent must trace the following path:\n1.  **Entry Point:** Search for registration of unauthenticated AJAX hooks:\n    `grep -rn \"wp_ajax_nopriv_\" wp-content\u002Fplugins\u002Fcartasi-x-pay\u002F`\n2.  **Handler Identification:** Identify the callback function associated with the `nopriv` hook. (e.g., `add_action( 'wp_ajax_nopriv_[ACTION]', '[CALLBACK]' );`).\n3.  **Sink Analysis:** Inspect the `[CALLBACK]` function. Look for:\n    *   **Missing:** `current_user_can( ... )` checks.\n    *   **Action:** Use of `update_option()`, `$wpdb->update()`, or functions that change payment gateway settings (API keys, terminal IDs, etc.).\n4.  **Parameter Mapping:** Identify which `$_POST` or `$_REQUEST` parameters are used within the sink to determine the exploit payload.\n\n## 4. Nonce Acquisition Strategy\nIf the handler uses `check_ajax_referer( 'some_action', 'security' )`, the agent must retrieve a valid nonce.\n1.  **Find Nonce Source:** Search for where the nonce is created:\n    `grep -rn \"wp_create_nonce\" wp-content\u002Fplugins\u002Fcartasi-x-pay\u002F`\n2.  **Identify Localization:** Look for `wp_localize_script` calls that pass this nonce to the frontend.\n    *   *Example:* `wp_localize_script( 'nexi-js', 'NexiParams', array( 'nonce' => wp_create_nonce('nexi_action') ) );`\n3.  **Extraction via Browser:**\n    *   Identify the shortcode or page where the plugin script loads (e.g., a checkout page or a settings page).\n    *   Create a test page: `wp post create --post_type=page --post_status=publish --post_content='[nexi_xpay_shortcode]'` (inferred).\n    *   Navigate to the page and extract the nonce:\n        `browser_eval(\"window.NexiParams?.nonce\")` (inferred - replace with actual JS object and key).\n\n## 5. Exploitation Strategy\nOnce the action and parameters are identified, use the `http_request` tool:\n\n**Request Details:**\n*   **Method:** POST\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```\n    action=[VULNERABLE_ACTION]&\n    security=[NONCE_IF_REQUIRED]&\n    [PARAM_1]=[MALICIOUS_VALUE]&\n    [PARAM_2]=[MALICIOUS_VALUE]\n    ```\n\n**Example Payload (Inferred):**\nIf the vulnerability allows updating the terminal ID:\n`action=nexi_xpay_update_settings&terminal_id=12345&security=abc123def4`\n\n## 6. Test Data Setup\n1.  Install and activate Nexi XPay \u003C= 8.3.1.\n2.  Ensure the plugin is configured with a \"dummy\" Terminal ID via the admin UI (to verify it changes later).\n3.  If a shortcode is needed for nonce extraction, identify it:\n    `grep -rn \"add_shortcode\" wp-content\u002Fplugins\u002Fcartasi-x-pay\u002F`\n4.  Create a public page with that shortcode.\n\n## 7. Expected Results\n*   **HTTP Response:** A `200 OK` response, potentially containing `{\"success\":true}` or a `1` (typical for successful AJAX).\n*   **State Change:** The targeted setting (e.g., Terminal ID, Secret Key, or Order Status) is updated in the database without administrative intervention.\n\n## 8. Verification Steps\nAfter the HTTP request, use WP-CLI to confirm the change:\n1.  **Check Options:** If the exploit targeted an option:\n    `wp option get [OPTION_NAME]`\n2.  **Check Database:** If the exploit targeted a custom table:\n    `wp db query \"SELECT * FROM wp_nexi_xpay_settings WHERE ...\" --size=csv`\n\n## 9. Alternative Approaches\n*   **If `nopriv` is missing:** Check if the vulnerability is actually `wp_ajax_` (authenticated) but allows **Subscriber** level users to perform admin actions (Missing Authorization for low-privilege users).\n*   **REST API:** Check if the plugin registers REST routes with `register_rest_route` and uses `__return_true` for the `permission_callback`.\n    `grep -rn \"register_rest_route\" wp-content\u002Fplugins\u002Fcartasi-x-pay\u002F -A 5`","The Nexi XPay plugin for WordPress is vulnerable to unauthorized access in versions up to 8.3.1 due to a missing capability check on an AJAX handler. This allows unauthenticated attackers to execute sensitive functions, such as modifying plugin settings or terminal configurations, by targeting actions registered via the wp_ajax_nopriv_ hook.","--- a\u002Fwp-content\u002Fplugins\u002Fcartasi-x-pay\u002Fincludes\u002Fajax-handler.php\n+++ b\u002Fwp-content\u002Fplugins\u002Fcartasi-x-pay\u002Fincludes\u002Fajax-handler.php\n@@ -10,5 +10,9 @@\n function nexi_xpay_process_ajax() {\n+    if ( ! current_user_can( 'manage_options' ) ) {\n+        wp_die( 'Unauthorized', 403 );\n+    }\n+\n     \u002F\u002F Processing logic for sensitive plugin settings","The exploit involves sending a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with an 'action' parameter linked to a 'wp_ajax_nopriv_' hook. Since the handler lacks a 'current_user_can' check, unauthenticated attackers can pass parameters in the POST body to modify plugin settings (such as Terminal IDs or API keys). If a security nonce is required, it can be obtained by inspecting the site's frontend source code for localized JavaScript objects containing the nonce.","gemini-3-flash-preview","2026-06-25 22:50:26","2026-06-25 22:52:55",{"type":33,"vulnerable_version":34,"fixed_version":11,"vulnerable_browse":35,"vulnerable_zip":36,"fixed_browse":37,"fixed_zip":38,"all_tags":39},"plugin","8.3.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcartasi-x-pay\u002Ftags\u002F8.3.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcartasi-x-pay.8.3.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcartasi-x-pay\u002Ftags\u002F8.3.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcartasi-x-pay.8.3.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcartasi-x-pay\u002Ftags"]