CVE-2025-15565 Overview
CVE-2025-15565 is an authorization bypass vulnerability in the Nexi XPay plugin for WordPress that allows unauthenticated attackers to mark pending WooCommerce orders as paid or completed. The vulnerability exists due to missing authorization checks on the redirect function in all versions up to and including 8.3.0. This flaw enables unauthorized modification of e-commerce order data, potentially leading to significant financial losses for affected merchants.
Critical Impact
Unauthenticated attackers can bypass payment verification and mark unpaid WooCommerce orders as completed, enabling fraudulent purchases without actual payment.
Affected Products
- Nexi XPay plugin for WordPress versions ≤ 8.3.0
- WooCommerce installations using the vulnerable Nexi XPay payment gateway
- WordPress sites with the Cartasi X-Pay plugin installed
Discovery Timeline
- 2026-04-14 - CVE CVE-2025-15565 published to NVD
- 2026-04-14 - Last updated in NVD database
Technical Details for CVE-2025-15565
Vulnerability Analysis
This vulnerability is classified under CWE-862 (Missing Authorization), indicating that the affected redirect function fails to verify whether the requesting user has proper authorization to modify order status. The flaw resides in the WC_Gateway_XPay_Process_Completion.php file within the plugin's payment completion workflow.
When processing payment callbacks, the redirect function accepts requests to update order status without validating the authenticity of the payment completion signal. This architectural oversight allows any unauthenticated remote attacker to craft requests that manipulate order states, effectively bypassing the payment verification process entirely.
The attack can be executed over the network without any user interaction or authentication, making it particularly dangerous for e-commerce sites that rely on the Nexi XPay gateway for payment processing.
Root Cause
The root cause is the absence of proper authorization checks in the redirect function within WC_Gateway_XPay_Process_Completion.php. The function processes order completion requests without verifying:
- Whether the request originates from a legitimate payment gateway callback
- If the requesting entity has authorization to modify order status
- Whether proper cryptographic verification of the payment transaction has occurred
This missing authorization pattern is a common security oversight in payment gateway integrations where developers assume all incoming callbacks are legitimate.
Attack Vector
The vulnerability is exploitable via network-based requests. An attacker with knowledge of the endpoint structure can send crafted HTTP requests to the vulnerable redirect function to manipulate WooCommerce order statuses. The attack requires no authentication or user interaction.
The attacker would need to:
- Identify a WordPress site using the vulnerable Nexi XPay plugin
- Determine or guess valid order IDs for pending orders
- Craft requests to the redirect endpoint that trigger order completion
- Submit the malicious requests to mark orders as paid without actual payment
Technical details of the vulnerable code can be found in the WordPress Cartasi XPay Code repository.
Detection Methods for CVE-2025-15565
Indicators of Compromise
- Unusual order status changes from "pending" to "completed" without corresponding payment gateway logs
- Orders marked as paid without matching transaction records in the Nexi XPay payment processor dashboard
- HTTP requests to the XPay completion endpoints from unexpected IP addresses or without proper callback signatures
Detection Strategies
- Monitor WooCommerce order status change logs for orders transitioning to "completed" without legitimate payment callbacks
- Implement logging on the redirect endpoint to capture all incoming requests and compare against legitimate payment gateway traffic patterns
- Cross-reference completed orders with actual payment processor transaction records to identify discrepancies
Monitoring Recommendations
- Enable detailed access logging for the WordPress installation to track requests to payment-related endpoints
- Set up alerts for unusual spikes in order completion requests or orders completed without corresponding payment processor notifications
- Regularly audit WooCommerce order history against payment gateway transaction logs to detect fraudulent completions
How to Mitigate CVE-2025-15565
Immediate Actions Required
- Update the Nexi XPay plugin to a version newer than 8.3.0 that includes the authorization fix
- Audit all recent WooCommerce orders to identify any potentially fraudulent completions that occurred during the exposure window
- Implement additional server-level access controls to restrict access to payment callback endpoints until patching is complete
Patch Information
Organizations should update the Nexi XPay plugin to the latest patched version available. Consult the Wordfence Vulnerability Report for detailed remediation guidance and patch availability information.
Before applying updates, create a complete backup of the WordPress installation including the database. Test the update in a staging environment if possible to ensure compatibility with your WooCommerce configuration.
Workarounds
- Temporarily disable the Nexi XPay payment gateway until a patched version can be applied
- Implement Web Application Firewall (WAF) rules to restrict access to the vulnerable redirect endpoint to only known Nexi payment gateway IP addresses
- Enable additional order verification workflows that require manual review of completed orders before fulfillment
# Configuration example
# Add to .htaccess to restrict access to XPay endpoints (temporary workaround)
<FilesMatch "WC_Gateway_XPay_Process_Completion\.php$">
Order deny,allow
Deny from all
# Allow only from Nexi payment gateway IPs (verify current IPs with Nexi)
Allow from 192.0.2.0/24
</FilesMatch>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
