This host is installed with WordPress Alipay plugin and is prone to cross-site scripting vulnerability.

Successful exploitation will allow remote attackers to execute arbitrary HTML and script code in a users browser session in the context of an affected site. Impact Level: Application

Upgrade to WordPress Alipay plugin 3.6.2 or later. For updates refer https://wordpress.org/plugins/alipay/

Input passed via the para_ret['total_fee GET parameter to inc.tenpay_notify.php script is not validated before returning it to users.

WordPress Alipay plugin 3.6.0 and earlier

Send a crafted data via HTTP GET request and check whether it is able to read cookie or not.

• http://codevigilant.com/disclosure/wp-plugin-alipay-a3-cross-site-scripting-xss/
• http://www.osvdb.com/108776
• http://xforce.iss.net/xforce/xfdb/97736

---

Updated on 2015-03-25