CVE-2026-54810
Deferred Deferred - Pending Action
Missing Authorization in Nexi XPay

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description
Missing Authorization vulnerability in Nexi Payments Nexi XPay allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Nexi XPay: from n/a through 8.3.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-54810
EUVD
EUVD-2026-37725
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
nexi xpay 8.3.1
nexi xpay 8.3.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in Nexi XPay Plugin allows unauthenticated attackers to perform privileged actions due to missing authorization checks, which constitutes broken access control.

Such broken access control issues can lead to unauthorized access or disruption of services, potentially resulting in data breaches or service unavailability.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, vulnerabilities that allow unauthorized access or denial of service can negatively impact compliance by risking the confidentiality, integrity, and availability of sensitive data.

Executive Summary

CVE-2026-54810 is a Missing Authorization vulnerability in the Nexi Payments Nexi XPay WordPress plugin, versions 8.3.1 and below.

This vulnerability is a Broken Access Control issue that allows unauthenticated attackers to perform privileged actions because the plugin lacks proper authorization checks.

It is classified as a high-priority security flaw with a CVSS score of 7.5 and falls under the OWASP Top 10's A1 category.

Impact Analysis

This vulnerability can have a significant impact as it allows attackers without any authentication to perform privileged actions on affected websites using the Nexi XPay plugin.

Such unauthorized actions could lead to disruption of services or compromise of the affected system's availability.

The vulnerability is actively exploited in mass campaigns targeting thousands of websites, increasing the risk of widespread damage.

Detection Guidance

This vulnerability allows unauthenticated attackers to perform privileged actions due to missing authorization checks in the Nexi XPay WordPress plugin versions 8.3.1 and below.

Detection can involve monitoring for unusual or unauthorized access attempts to the Nexi XPay plugin endpoints, especially those that should require authorization.

Since the vulnerability is related to broken access control, network or system detection could include checking web server logs for suspicious requests targeting the plugin's API or admin functions without proper authentication.

Specific commands are not provided in the available resources.

Mitigation Strategies

The immediate recommended step is to update the Nexi XPay WordPress plugin to version 8.3.2 or later, where the vulnerability is patched.

Until the update can be applied, Patchstack provides an automatic mitigation rule that can be used to block attacks targeting this vulnerability.

Users should also monitor their systems for any signs of exploitation and restrict access to the plugin's administrative functions where possible.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54810. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart