WordPress WooCommerce SagePay Direct Payment Gateway Plugin XSS Vulnerability Network Vulnerability

Summary

This host is installed with Wordpress WooCommerce SagePay Direct Payment Gateway Plugin and is prone to cross site scripting vulnerability.

Impact

Successful exploitation will allow attacker to execute arbitrary HTML and script code in a user's browser session in the context of an affected site. Impact Level: Application

Solution

Upgrade to WordPress WooCommerce SagePay Direct Payment Gateway plugin version 0.1.6.7 or later. For updates refer to http://wordpress.org/plugins/sagepay-direct-for-woocommerce-payment-gateway

Insight

Input passed via the 'MD' and 'PARes' parameters to pages/3DComplete.php script is not properly sanitised before being returned to the user.

Affected

WordPress WooCommerce SagePay Direct Payment Gateway plugin before version 0.1.6.7.

Detection

Send a crafted data via HTTP GET request and check whether it is able to read cookie or not.

References

http://xforce.iss.net/xforce/xfdb/90960

Updated on 2017-03-28

Severity

Classification

CVE CVE-2014-4549

CVSS	Base Score: 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

Related Vulnerabilities

WordPress WooCommerce SagePay Direct Payment Gateway plugin XSS Vulnerability

Take action and discover your vulnerabilities