VAR-201407-0648
Vulnerability from variot - Updated: 2025-04-13 23:39Multiple cross-site scripting (XSS) vulnerabilities in pages/3DComplete.php in the WooCommerce SagePay Direct Payment Gateway plugin before 0.1.6.7 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) MD or (2) PARes parameter. WordPress is a blogging platform developed by the WordPress Software Foundation using the PHP language. The platform supports the setting up of personal blog websites on PHP and MySQL servers. WooCommerce SagePay Direct Payment Gateway is one of the WooCommerce (e-commerce) payment gateway plugins. When a user browses an affected website, their browser will execute arbitrary script code provided by the attacker, which may cause the attacker to steal cookie-based authentication and launch other attacks. Vulnerabilities in WooCommerce SagePay Direct Payment version 0.1.6.6, other versions may also be affected
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201407-0648",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "woocommerce sagepay direct payment gateway",
"scope": "lte",
"trust": 1.0,
"vendor": "woocommerce sagepay direct payment gateway",
"version": "0.1.6.6"
},
{
"model": "woocommerce sagepay direct payment gateway",
"scope": "lt",
"trust": 0.8,
"vendor": "swicks",
"version": "0.1.6.7"
},
{
"model": "woocommerce sagepay direct payment gateway",
"scope": "eq",
"trust": 0.6,
"vendor": "woocommerce sagepay direct payment gateway",
"version": "0.1.6.6"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-003181"
},
{
"db": "CNNVD",
"id": "CNNVD-201407-126"
},
{
"db": "NVD",
"id": "CVE-2014-4549"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:woocommerce_sagepay_direct_payment_gateway_project:woocommerce_sagepay_direct_payment_gateway",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-003181"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Prajal Kulkarni",
"sources": [
{
"db": "BID",
"id": "65355"
}
],
"trust": 0.3
},
"cve": "CVE-2014-4549",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CVE-2014-4549",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "VHN-72489",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2014-4549",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2014-4549",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNNVD",
"id": "CNNVD-201407-126",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-72489",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-72489"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-003181"
},
{
"db": "CNNVD",
"id": "CNNVD-201407-126"
},
{
"db": "NVD",
"id": "CVE-2014-4549"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Multiple cross-site scripting (XSS) vulnerabilities in pages/3DComplete.php in the WooCommerce SagePay Direct Payment Gateway plugin before 0.1.6.7 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) MD or (2) PARes parameter. WordPress is a blogging platform developed by the WordPress Software Foundation using the PHP language. The platform supports the setting up of personal blog websites on PHP and MySQL servers. WooCommerce SagePay Direct Payment Gateway is one of the WooCommerce (e-commerce) payment gateway plugins. When a user browses an affected website, their browser will execute arbitrary script code provided by the attacker, which may cause the attacker to steal cookie-based authentication and launch other attacks. Vulnerabilities in WooCommerce SagePay Direct Payment version 0.1.6.6, other versions may also be affected",
"sources": [
{
"db": "NVD",
"id": "CVE-2014-4549"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-003181"
},
{
"db": "CNNVD",
"id": "CNNVD-201402-269"
},
{
"db": "BID",
"id": "65355"
},
{
"db": "VULHUB",
"id": "VHN-72489"
}
],
"trust": 2.52
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2014-4549",
"trust": 2.8
},
{
"db": "BID",
"id": "65355",
"trust": 2.0
},
{
"db": "JVNDB",
"id": "JVNDB-2014-003181",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201407-126",
"trust": 0.7
},
{
"db": "CNNVD",
"id": "CNNVD-201402-269",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-72489",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-72489"
},
{
"db": "BID",
"id": "65355"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-003181"
},
{
"db": "CNNVD",
"id": "CNNVD-201402-269"
},
{
"db": "CNNVD",
"id": "CNNVD-201407-126"
},
{
"db": "NVD",
"id": "CVE-2014-4549"
}
]
},
"id": "VAR-201407-0648",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-72489"
}
],
"trust": 0.01
},
"last_update_date": "2025-04-13T23:39:41.899000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "http://devicesoftware.com/"
},
{
"title": "wp-plugins/sagepay-direct-for-woocommerce-payment-gateway",
"trust": 0.8,
"url": "https://github.com/wp-plugins/sagepay-direct-for-woocommerce-payment-gateway/commit/9c6cf939c6c25377c285439b92ef2bb5ebda9db6"
},
{
"title": "WooCommerce SagePay Direct Payment Gateway",
"trust": 0.8,
"url": "http://wordpress.org/plugins/sagepay-direct-for-woocommerce-payment-gateway/changelog/"
},
{
"title": "sagepay-direct-for-woocommerce-payment-gateway.0.1.6.7",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=50639"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-003181"
},
{
"db": "CNNVD",
"id": "CNNVD-201407-126"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-79",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-72489"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-003181"
},
{
"db": "NVD",
"id": "CVE-2014-4549"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "http://www.securityfocus.com/bid/65355"
},
{
"trust": 1.7,
"url": "http://wordpress.org/plugins/sagepay-direct-for-woocommerce-payment-gateway/changelog"
},
{
"trust": 1.7,
"url": "https://github.com/wp-plugins/sagepay-direct-for-woocommerce-payment-gateway/commit/9c6cf939c6c25377c285439b92ef2bb5ebda9db6"
},
{
"trust": 1.7,
"url": "http://codevigilant.com/disclosure/wp-plugin-sagepay-direct-for-woocommerce-payment-gateway-a3-cross-site-scripting-xss"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-4549"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-4549"
},
{
"trust": 0.8,
"url": "http://codevigilant.com/disclosure/wp-plugin-sagepay-direct-for-woocommerce-payment-gateway-a3-cross-site-scripting-xss/"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-72489"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-003181"
},
{
"db": "CNNVD",
"id": "CNNVD-201402-269"
},
{
"db": "CNNVD",
"id": "CNNVD-201407-126"
},
{
"db": "NVD",
"id": "CVE-2014-4549"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-72489"
},
{
"db": "BID",
"id": "65355"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-003181"
},
{
"db": "CNNVD",
"id": "CNNVD-201402-269"
},
{
"db": "CNNVD",
"id": "CNNVD-201407-126"
},
{
"db": "NVD",
"id": "CVE-2014-4549"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-07-02T00:00:00",
"db": "VULHUB",
"id": "VHN-72489"
},
{
"date": "2014-02-05T00:00:00",
"db": "BID",
"id": "65355"
},
{
"date": "2014-07-07T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2014-003181"
},
{
"date": "2014-02-21T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201402-269"
},
{
"date": "2014-07-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201407-126"
},
{
"date": "2014-07-02T20:55:06.187000",
"db": "NVD",
"id": "CVE-2014-4549"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2015-08-28T00:00:00",
"db": "VULHUB",
"id": "VHN-72489"
},
{
"date": "2014-07-03T15:47:00",
"db": "BID",
"id": "65355"
},
{
"date": "2014-07-07T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2014-003181"
},
{
"date": "2014-02-21T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201402-269"
},
{
"date": "2014-07-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201407-126"
},
{
"date": "2025-04-12T10:46:40.837000",
"db": "NVD",
"id": "CVE-2014-4549"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201402-269"
},
{
"db": "CNNVD",
"id": "CNNVD-201407-126"
}
],
"trust": 1.2
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "WordPress for WooCommerce SagePay Direct Payment Gateway Plug-in vulnerable to cross-site scripting",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-003181"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "XSS",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201402-269"
},
{
"db": "CNNVD",
"id": "CNNVD-201407-126"
}
],
"trust": 1.2
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…