CVE-2014-4549

Name of the Vulnerable Software and Affected Versions WooCommerce SagePay Direct Payment Gateway plugin versions prior to 0.1.6.7

Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via the MD or PARes parameters in the pages/3DComplete.php file.

Recommendations For versions prior to 0.1.6.7, update to version 0.1.6.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the pages/3DComplete.php file or avoiding the use of the MD and PARes parameters until the update is applied.