Skip to main content

Nexi XPay CVE-2026-54810

HIGH
Missing Authorization (CWE-862)
2026-06-17 Patchstack
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Unauthenticated network-reachable WordPress plugin endpoint with missing authorization (AV:N/AC:L/PR:N/UI:N); description and scorer constrain impact to availability only.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 15:33 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in Nexi Payments Nexi XPay allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Nexi XPay: from n/a through 8.3.1.

AnalysisAI

Missing authorization in the Nexi XPay WordPress plugin (versions up to and including 8.3.1) allows remote unauthenticated attackers to exploit incorrectly configured access control security levels, resulting in high impact to availability. Reported by Patchstack with no public exploit identified at time of analysis, the issue stems from broken access control on plugin endpoints used by Italian e-commerce sites integrating Nexi/CartaSi payment processing.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running Nexi XPay
Delivery
Send unauthenticated request to vulnerable endpoint
Exploit
Bypass missing authorization check
Execution
Trigger privileged availability-affecting action
Impact
Disrupt plugin or checkout functionality

Vulnerability AssessmentAI

Exploitation The target WordPress site must have the Nexi XPay (cartasi-x-pay) plugin installed and activated at version 8.3.1 or earlier, with its HTTP endpoints (admin-ajax.php actions and/or /wp-json/ REST routes registered by the plugin) reachable over the network - which is the default for any public WooCommerce storefront. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H scores 7.5 and indicates a network-reachable, low-complexity, fully unauthenticated attack that affects only availability - no confidentiality or integrity loss is claimed by the scorer. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker scans WordPress sites running the Nexi XPay plugin (fingerprintable via plugin assets or /wp-content/plugins/cartasi-x-pay/ paths) and sends an unauthenticated HTTP request directly to the vulnerable admin-ajax action or REST route that lacks a capability check. Because the endpoint performs a privileged availability-affecting operation without verifying the caller, the attacker triggers it repeatedly to disrupt checkout or plugin functionality on the storefront. …
Remediation No vendor-released patched version is identified in the available data - the Patchstack record only marks 8.3.1 as vulnerable without naming a fixed release, so administrators should monitor the plugin's WordPress.org changelog and the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/cartasi-x-pay/vulnerability/wordpress-nexi-xpay-plugin-8-3-1-broken-access-control-vulnerability) for a 8.3.2 or later update and upgrade as soon as it ships. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all WordPress installations for Nexi XPay versions ≤8.3.1 and document exposure scope; prioritize merchant sites processing transactions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54810 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy