Primary

Context

Nexi XPay WordPress Plugin Missing Authorization Vulnerability Allows Unauthenticated Order Status Modification

Vulnerability

A vulnerability exists in the Nexi XPay plugin for WordPress, all versions through 8.3.0, due to inadequate authorization checks in the redirect function. This flaw enables unauthenticated attackers to alter the status of pending WooCommerce orders, marking them as paid or completed.

Impact

Exploitation of this vulnerability allows for unauthorized modification of WooCommerce order statuses, potentially leading to financial discrepancies and unauthorized order completions.

Remediation

Users are advised to update the Nexi XPay WordPress plugin to version 8.3.2 or a newer patched version.

Added: Apr 15, 2026, 12:54 AM

Updated: Apr 15, 2026, 12:54 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.1

remediation

0.0

relevance

5.9

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.1

remediation

0.0

relevance

5.9

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Nexi XPay WordPress Plugin Missing Authorization Vulnerability Allows Unauthenticated Order Status Modification

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating