Nexi XPay
CVE-2026-54810
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Unauthenticated network-reachable WordPress plugin endpoint with missing authorization (AV:N/AC:L/PR:N/UI:N); description and scorer constrain impact to availability only.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in Nexi Payments Nexi XPay allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects Nexi XPay: from n/a through 8.3.1.
AnalysisAI
Missing authorization in the Nexi XPay WordPress plugin (versions up to and including 8.3.1) allows remote unauthenticated attackers to exploit incorrectly configured access control security levels, resulting in high impact to availability. Reported by Patchstack with no public exploit identified at time of analysis, the issue stems from broken access control on plugin endpoints used by Italian e-commerce sites integrating Nexi/CartaSi payment processing.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target WordPress site must have the Nexi XPay (cartasi-x-pay) plugin installed and activated at version 8.3.1 or earlier, with its HTTP endpoints (admin-ajax.php actions and/or /wp-json/ REST routes registered by the plugin) reachable over the network - which is the default for any public WooCommerce storefront. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H scores 7.5 and indicates a network-reachable, low-complexity, fully unauthenticated attack that affects only availability - no confidentiality or integrity loss is claimed by the scorer. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker scans WordPress sites running the Nexi XPay plugin (fingerprintable via plugin assets or /wp-content/plugins/cartasi-x-pay/ paths) and sends an unauthenticated HTTP request directly to the vulnerable admin-ajax action or REST route that lacks a capability check. Because the endpoint performs a privileged availability-affecting operation without verifying the caller, the attacker triggers it repeatedly to disrupt checkout or plugin functionality on the storefront. … |
| Remediation | No vendor-released patched version is identified in the available data - the Patchstack record only marks 8.3.1 as vulnerable without naming a fixed release, so administrators should monitor the plugin's WordPress.org changelog and the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/cartasi-x-pay/vulnerability/wordpress-nexi-xpay-plugin-8-3-1-broken-access-control-vulnerability) for a 8.3.2 or later update and upgrade as soon as it ships. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all WordPress installations for Nexi XPay versions ≤8.3.1 and document exposure scope; prioritize merchant sites processing transactions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today