{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15565", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-05T21:54:02.953Z", "datePublished": "2026-04-14T21:26:40.111Z", "dateUpdated": "2026-04-15T13:33:09.315Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-14T21:26:40.111Z"}, "affected": [{"vendor": "cartasi", "product": "Nexi XPay", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "8.3.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Nexi XPay plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the redirect function in all versions up to, and including, 8.3.0. This makes it possible for unauthenticated attackers to mark pending WooCommerce orders as paid/completed."}], "title": "Nexi XPay <= 8.3.0 - Missing Authorization to Unauthenticated Order Status Modification", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f420151b-c783-49b1-b0e9-e936a904278a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/cartasi-x-pay/tags/8.2.0/src/classes/Nexi/WC_Gateway_XPay_Process_Completion.php#L268"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "timeline": [{"time": "2025-12-14T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-04-14T09:14:14.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T13:33:02.118762Z", "id": "CVE-2025-15565", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:33:09.315Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-15565", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T13:33:02.118762Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:33:06.138Z"}}], "cna": {"title": "Nexi XPay <= 8.3.0 - Missing Authorization to Unauthenticated Order Status Modification", "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "cartasi", "product": "Nexi XPay", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "8.3.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-14T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-04-14T09:14:14.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f420151b-c783-49b1-b0e9-e936a904278a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/cartasi-x-pay/tags/8.2.0/src/classes/Nexi/WC_Gateway_XPay_Process_Completion.php#L268"}], "descriptions": [{"lang": "en", "value": "The Nexi XPay plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the redirect function in all versions up to, and including, 8.3.0. This makes it possible for unauthenticated attackers to mark pending WooCommerce orders as paid/completed."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-14T21:26:40.111Z"}}}, "cveMetadata": {"cveId": "CVE-2025-15565", "state": "PUBLISHED", "dateUpdated": "2026-04-15T13:33:09.315Z", "dateReserved": "2026-02-05T21:54:02.953Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-14T21:26:40.111Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Nexi XPay plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the redirect function in all versions up to, and including, 8.3.0. This makes it possible for unauthenticated attackers to mark pending WooCommerce orders as paid/completed."}], "id": "CVE-2025-15565", "lastModified": "2026-04-22T20:23:16.350", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-14T22:16:27.727", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/cartasi-x-pay/tags/8.2.0/src/classes/Nexi/WC_Gateway_XPay_Process_Completion.php#L268"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f420151b-c783-49b1-b0e9-e936a904278a?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,8.3.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Nexi XPay", "source": "cna", "vendor": "cartasi"}, "product": "nexi_xpay", "vendor": "cartasi"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-14T22:21:16.570840+00:00", "value": {"mitigation_remediation": ["Upgrade the Nexi XPay WordPress plugin to the latest version that includes the missing authorization check (version > 8.3.0).", "If an immediate upgrade is not possible, temporarily disable the redirect endpoint or restrict access to that handler via server configuration or plugin settings to prevent unauthenticated requests.", "After remediation, audit order status logs and transaction records for any unauthorized changes, and implement monitoring to detect future anomalies in order state transitions."], "summary": {"action": "Immediate patch", "impact": "Unauthorized modification of WooCommerce order status, enabling unauthenticated attackers to mark pending orders as paid or completed"}, "threat_synthesis": {"affected_systems": "The vulnerable component is the Nexi XPay WordPress plugin distributed by Cartasi. All versions 8.3.0 and earlier are affected. Users deploying the plugin on any WordPress site that processes WooCommerce orders should verify and update their installation.", "description_and_impact": "The Nexi XPay plugin for WordPress contains a missing authorization check on the redirect function in all releases up to 8.3.0. This flaw allows an unauthenticated user to manipulate the order status, turning unapproved or pending orders into paid or completed ones. The impact is that attackers could trigger transactions or claims of receipt for orders they never authorized, possibly resulting in financial loss or refund disputes.", "risk_and_exploitability": "The CVSS score of 5.3 indicates medium severity and highlights an authentication bypass within the application. No EPSS value is provided, suggesting limited data on current exploitation prevalence, and the issue is not in the CISA KEV list. Because no authentication is required, the vulnerability can be exploited over the public web by crafting a request to the redirect endpoint. While no public exploit has been documented, the risk is significant for sites handling sensitive payment data. The absence of a mitigation in the public feed means the exploitation vector remains plausible until a patch is applied."}}}}, "created": "2026-04-15T14:31:57.034866+00:00", "updated": "2026-04-15T14:53:53.426678+00:00", "vendors": ["cartasi", "cartasi$PRODUCT$nexi_xpay", "wordpress", "wordpress$PRODUCT$wordpress"]}