CVE-2014-4549

Multiple cross-site scripting (XSS) vulnerabilities in pages/3DComplete.php in the WooCommerce SagePay Direct Payment Gateway plugin before 0.1.6.7 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) MD or (2) PARes parameter.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 42%
VendorProductVersion
woocommerce_sagepay_direct_payment_gateway_projectwoocommerce_sagepay_direct_payment_gateway
𝑥
≤ 0.1.6.6
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://codevigilant.com/disclosure/wp-plugin-sagepay-direct-for-woocommerce-payment-gateway-a3-cross-site-scripting-xss
http://wordpress.org/plugins/sagepay-direct-for-woocommerce-payment-gateway/changelog
http://www.securityfocus.com/bid/65355
https://github.com/wp-plugins/sagepay-direct-for-woocommerce-payment-gateway/commit/9c6cf939c6c25377c285439b92ef2bb5ebda9db6
http://codevigilant.com/disclosure/wp-plugin-sagepay-direct-for-woocommerce-payment-gateway-a3-cross-site-scripting-xss
http://wordpress.org/plugins/sagepay-direct-for-woocommerce-payment-gateway/changelog
http://www.securityfocus.com/bid/65355
https://github.com/wp-plugins/sagepay-direct-for-woocommerce-payment-gateway/commit/9c6cf939c6c25377c285439b92ef2bb5ebda9db6