CVE-2026-54810: WordPress Nexi XPay plugin <= 8.3.1 - Broken Access Control vulnerability
Missing Authorization vulnerability in Nexi Payments Nexi XPay allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Nexi XPay: from n/a through 8.3.1.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a broken access control (missing authorization) vulnerability in the Nexi XPay WordPress plugin, versions 8.3.1 and earlier. The flaw is reachable over the network with no authentication required and no user interaction needed, meaning any remote, unauthenticated party can send a crafted request to trigger it. Successful exploitation causes a complete denial of availability of the affected service. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including the Patchstack advisory, within minutes of publication and matched against customer images and pipeline artifacts, including custom-built WordPress images that bundle the Nexi XPay plugin.
AvailableHarborGuard scores this vulnerability at CVSS 7.5 (High) and applies per-environment compliance policy weighting to determine urgency and route findings to the appropriate team or inbox within each customer organization.
AvailableBecause no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Nexi Payments ships a remediated release. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version is confirmed.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the WordPress installation.
- AuthenticationNot required
No account or credentials of any kind are needed to trigger the vulnerability.
- Victim interactionNot required
The attack is fully server-side; no user needs to click a link or perform any action.
- Attack complexityDetail
Exploitation is reliable and condition-free, requiring no race conditions or special environmental setup.
Blast Radius
- Crashes or renders the affected WordPress service unavailable, causing a complete loss of availability for the site and any checkout flows powered by Nexi XPay.
- Payment processing through the Nexi XPay plugin is disrupted for the duration of the outage, blocking transaction completion.
- No confidentiality or integrity impact is indicated; stored data is not read or modified by this exploit path.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-54810 is active across all customer environments running affected versions of the Nexi XPay WordPress plugin. Because no upstream fix exists yet, HarborGuard monitors the Patchstack advisory on every ingest cycle and will trigger a patched-image rebuild automatically once Nexi Payments publishes a remediated release. In the interim, customers can apply compensating controls through HarborGuard network policies, specifically isolating the WordPress pod from untrusted ingress paths, applying egress filtering to limit exposure, or disabling the Nexi XPay plugin at the feature or configuration level until a patch is available. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be opened without manual steps the moment a fix version is confirmed upstream.
- Nexi Payments / Nexi XPay≤ 8.3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H