Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Nexi XPay plugin on WordPress allows unauthorized order changes
CVE-2025-15565
Summary
The Nexi XPay plugin for WordPress is not properly securing redirects, allowing unauthorized users to mark WooCommerce orders as paid or completed. This could lead to incorrect order status and potential financial loss. Update to the latest version (8.3.1 or later) to fix this issue.
Original title
The Nexi XPay plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the redirect function in all versions up to, and including, 8.3.0. This ...
Original description
The Nexi XPay plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the redirect function in all versions up to, and including, 8.3.0. This makes it possible for unauthenticated attackers to mark pending WooCommerce orders as paid/completed.
nvd CVSS3.1
5.3
Vulnerability type
CWE-862
Missing Authorization
Published: 14 Apr 2026 · Updated: 15 Apr 2026 · First seen: 14 Apr 2026