CVE-2014-4549

EUVD-2014-4476
Multiple cross-site scripting (XSS) vulnerabilities in pages/3DComplete.php in the WooCommerce SagePay Direct Payment Gateway plugin before 0.1.6.7 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) MD or (2) PARes parameter.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 41%
Affected Products (NVD)
VendorProductVersion
woocommerce_sagepay_direct_payment_gateway_projectwoocommerce_sagepay_direct_payment_gateway
𝑥
≤ 0.1.6.6
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://codevigilant.com/disclosure/wp-plugin-sagepay-direct-for-woocommerce-payment-gateway-a3-cross-site-scripting-xss
http://wordpress.org/plugins/sagepay-direct-for-woocommerce-payment-gateway/changelog
http://www.securityfocus.com/bid/65355
https://github.com/wp-plugins/sagepay-direct-for-woocommerce-payment-gateway/commit/9c6cf939c6c25377c285439b92ef2bb5ebda9db6
http://codevigilant.com/disclosure/wp-plugin-sagepay-direct-for-woocommerce-payment-gateway-a3-cross-site-scripting-xss
http://wordpress.org/plugins/sagepay-direct-for-woocommerce-payment-gateway/changelog
http://www.securityfocus.com/bid/65355
https://github.com/wp-plugins/sagepay-direct-for-woocommerce-payment-gateway/commit/9c6cf939c6c25377c285439b92ef2bb5ebda9db6