Platform
wordpress
Component
cartasi-x-pay
Fixed in
8.3.1
8.3.2
CVE-2025-15565 is a medium-severity vulnerability affecting the Nexi XPay plugin for WordPress. This flaw allows unauthenticated attackers to manipulate WooCommerce order statuses, specifically marking pending orders as paid or completed. The vulnerability exists in versions up to and including 8.3.0, and a patch is available in version 8.3.2.
The primary impact of this vulnerability is the potential for fraudulent transactions and financial loss. An attacker could exploit this flaw to mark orders as paid without legitimate payment, enabling them to receive goods or services without fulfilling their financial obligations. This could lead to significant revenue loss for businesses relying on WooCommerce for e-commerce. Furthermore, the attacker could potentially manipulate order data to gain unauthorized access to customer information or disrupt business operations. While the vulnerability requires direct interaction with the WordPress site, the ease of exploitation poses a considerable risk, especially for sites with vulnerable plugin versions.
CVE-2025-15565 is currently not listed on KEV or EPSS, indicating a low to medium probability of active exploitation. Public proof-of-concept (POC) code is not widely available, but the vulnerability's simplicity suggests it could be easily exploited. The vulnerability was published on 2026-04-14, and it is recommended to monitor security advisories and threat intelligence feeds for any signs of exploitation.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
CVSS Vector
The most effective mitigation is to immediately upgrade the Nexi XPay plugin to version 8.3.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the Nexi XPay plugin to prevent further exploitation. While not a complete solution, implementing strict WooCommerce order review processes can help detect and prevent fraudulent order completions. Web application firewalls (WAFs) configured to block unauthorized requests to the redirect function within the Nexi XPay plugin could provide an additional layer of protection. After upgrading, verify the fix by attempting to manually mark a pending WooCommerce order as paid through the plugin's interface while logged out.
Update to version 8.3.2, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-15565 is a medium-severity vulnerability in the Nexi XPay WordPress plugin that allows unauthenticated attackers to mark pending WooCommerce orders as paid, potentially leading to fraudulent transactions.
You are affected if your WordPress site uses the Nexi XPay plugin and is running version 8.3.0 or earlier. Upgrade to version 8.3.2 to resolve the vulnerability.
Upgrade the Nexi XPay plugin to version 8.3.2 or later through the WordPress plugin management interface. If upgrading is not immediately possible, temporarily disable the plugin.
While there's no widespread evidence of active exploitation, the vulnerability's simplicity suggests it could be easily exploited. Monitor security advisories for updates.
Refer to the official Nexi XPay plugin documentation and WordPress plugin repository for the latest security updates and advisories related to CVE-2025-15565.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.