Details of VAR-201407-0648

ID

VAR-201407-0648

CVE

CVE-2014-4549

TITLE

WordPress for WooCommerce SagePay Direct Payment Gateway Plug-in vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2014-003181

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in pages/3DComplete.php in the WooCommerce SagePay Direct Payment Gateway plugin before 0.1.6.7 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) MD or (2) PARes parameter. WordPress is a blogging platform developed by the WordPress Software Foundation using the PHP language. The platform supports the setting up of personal blog websites on PHP and MySQL servers. WooCommerce SagePay Direct Payment Gateway is one of the WooCommerce (e-commerce) payment gateway plugins. When a user browses an affected website, their browser will execute arbitrary script code provided by the attacker, which may cause the attacker to steal cookie-based authentication and launch other attacks. Vulnerabilities in WooCommerce SagePay Direct Payment version 0.1.6.6, other versions may also be affected

Trust: 2.52

sources: NVD: CVE-2014-4549 // JVNDB: JVNDB-2014-003181 // CNNVD: CNNVD-201402-269 // BID: 65355 // VULHUB: VHN-72489

AFFECTED PRODUCTS

vendor:	woocommerce sagepay direct payment gateway	model:	woocommerce sagepay direct payment gateway	scope:	lte	version:	0.1.6.6	Trust: 1.0
vendor:	swicks	model:	woocommerce sagepay direct payment gateway	scope:	lt	version:	0.1.6.7	Trust: 0.8
vendor:	woocommerce sagepay direct payment gateway	model:	woocommerce sagepay direct payment gateway	scope:	eq	version:	0.1.6.6	Trust: 0.6

sources: JVNDB: JVNDB-2014-003181 // CNNVD: CNNVD-201407-126 // NVD: CVE-2014-4549

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-4549
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2014-4549
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201407-126
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-72489
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2014-4549
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-72489
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-72489 // JVNDB: JVNDB-2014-003181 // CNNVD: CNNVD-201407-126 // NVD: CVE-2014-4549

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-72489 // JVNDB: JVNDB-2014-003181 // NVD: CVE-2014-4549

THREAT TYPE

remote

Trust: 1.2

sources: CNNVD: CNNVD-201402-269 // CNNVD: CNNVD-201407-126

TYPE

XSS

Trust: 1.2

sources: CNNVD: CNNVD-201402-269 // CNNVD: CNNVD-201407-126

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-003181

PATCH

title:	Top Page	url:	http://devicesoftware.com/	Trust: 0.8
title:	wp-plugins/sagepay-direct-for-woocommerce-payment-gateway	url:	https://github.com/wp-plugins/sagepay-direct-for-woocommerce-payment-gateway/commit/9c6cf939c6c25377c285439b92ef2bb5ebda9db6	Trust: 0.8
title:	WooCommerce SagePay Direct Payment Gateway	url:	http://wordpress.org/plugins/sagepay-direct-for-woocommerce-payment-gateway/changelog/	Trust: 0.8
title:	sagepay-direct-for-woocommerce-payment-gateway.0.1.6.7	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=50639	Trust: 0.6

sources: JVNDB: JVNDB-2014-003181 // CNNVD: CNNVD-201407-126

EXTERNAL IDS

db:	NVD	id:	CVE-2014-4549	Trust: 2.8
db:	BID	id:	65355	Trust: 2.0
db:	JVNDB	id:	JVNDB-2014-003181	Trust: 0.8
db:	CNNVD	id:	CNNVD-201407-126	Trust: 0.7
db:	CNNVD	id:	CNNVD-201402-269	Trust: 0.6
db:	VULHUB	id:	VHN-72489	Trust: 0.1

sources: VULHUB: VHN-72489 // BID: 65355 // JVNDB: JVNDB-2014-003181 // CNNVD: CNNVD-201402-269 // CNNVD: CNNVD-201407-126 // NVD: CVE-2014-4549

REFERENCES

url:	http://www.securityfocus.com/bid/65355	Trust: 1.7
url:	http://wordpress.org/plugins/sagepay-direct-for-woocommerce-payment-gateway/changelog	Trust: 1.7
url:	https://github.com/wp-plugins/sagepay-direct-for-woocommerce-payment-gateway/commit/9c6cf939c6c25377c285439b92ef2bb5ebda9db6	Trust: 1.7
url:	http://codevigilant.com/disclosure/wp-plugin-sagepay-direct-for-woocommerce-payment-gateway-a3-cross-site-scripting-xss	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-4549	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-4549	Trust: 0.8
url:	http://codevigilant.com/disclosure/wp-plugin-sagepay-direct-for-woocommerce-payment-gateway-a3-cross-site-scripting-xss/	Trust: 0.8

sources: VULHUB: VHN-72489 // JVNDB: JVNDB-2014-003181 // CNNVD: CNNVD-201402-269 // CNNVD: CNNVD-201407-126 // NVD: CVE-2014-4549

CREDITS

Prajal Kulkarni

Trust: 0.3

sources: BID: 65355

SOURCES

db:	VULHUB	id:	VHN-72489
db:	BID	id:	65355
db:	JVNDB	id:	JVNDB-2014-003181
db:	CNNVD	id:	CNNVD-201402-269
db:	CNNVD	id:	CNNVD-201407-126
db:	NVD	id:	CVE-2014-4549

LAST UPDATE DATE

2025-04-13T23:39:41.899000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-72489	date:	2015-08-28T00:00:00
db:	BID	id:	65355	date:	2014-07-03T15:47:00
db:	JVNDB	id:	JVNDB-2014-003181	date:	2014-07-07T00:00:00
db:	CNNVD	id:	CNNVD-201402-269	date:	2014-02-21T00:00:00
db:	CNNVD	id:	CNNVD-201407-126	date:	2014-07-04T00:00:00
db:	NVD	id:	CVE-2014-4549	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-72489	date:	2014-07-02T00:00:00
db:	BID	id:	65355	date:	2014-02-05T00:00:00
db:	JVNDB	id:	JVNDB-2014-003181	date:	2014-07-07T00:00:00
db:	CNNVD	id:	CNNVD-201402-269	date:	2014-02-21T00:00:00
db:	CNNVD	id:	CNNVD-201407-126	date:	2014-07-04T00:00:00
db:	NVD	id:	CVE-2014-4549	date:	2014-07-02T20:55:06.187