Plattform
wordpress
Komponente
cartasi-x-pay
Behoben in
8.3.1
8.3.2
CVE-2025-15565 is a medium-severity vulnerability affecting the Nexi XPay plugin for WordPress. This flaw allows unauthenticated attackers to manipulate WooCommerce order statuses, specifically marking pending orders as paid or completed. The vulnerability exists in versions up to and including 8.3.0, and a patch is available in version 8.3.2.
Exploitation of CVE-2025-15565 allows an attacker to fraudulently mark WooCommerce orders as paid, potentially leading to financial losses for merchants and customers. An attacker could manipulate order statuses to gain unauthorized access to goods or services, or to disrupt the order processing workflow. While the impact is not as severe as a full system compromise, the potential for financial fraud and reputational damage is significant. This type of vulnerability highlights the importance of robust authorization checks in payment processing plugins.
CVE-2025-15565 was published on 2026-04-14. Its medium CVSS score suggests a moderate probability of exploitation. Public proof-of-concept (POC) code may be developed, but the vulnerability's complexity might limit its widespread exploitation. It is not currently listed on KEV or EPSS. Monitor security advisories and threat intelligence feeds for updates.
Exploit-Status
EPSS
0.05% (15% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation for CVE-2025-15565 is to upgrade the Nexi XPay plugin to version 8.3.2 or later. If an immediate upgrade is not possible, consider implementing stricter access controls on the WooCommerce order management interface to limit who can modify order statuses. While a direct workaround is not available, carefully review the plugin's code for any other potential authorization flaws. After upgrading, confirm the fix by attempting to modify an order status without proper authentication and verifying that the action is denied.
Aktualisieren Sie auf Version 8.3.2 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-15565 is a medium-severity vulnerability in the Nexi XPay WordPress plugin that allows unauthenticated attackers to mark pending WooCommerce orders as paid, potentially leading to fraudulent transactions.
You are affected if your WordPress site uses the Nexi XPay plugin and is running version 8.3.0 or earlier. Upgrade to version 8.3.2 to resolve the vulnerability.
Upgrade the Nexi XPay plugin to version 8.3.2 or later through the WordPress plugin management interface. If upgrading is not immediately possible, temporarily disable the plugin.
While there's no widespread evidence of active exploitation, the vulnerability's simplicity suggests it could be easily exploited. Monitor security advisories for updates.
Refer to the official Nexi XPay plugin documentation and WordPress plugin repository for the latest security updates and advisories related to CVE-2025-15565.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.