The "SagePay Server Gateway for WooCommerce" plugin before 1.0.9 for WordPress has XSS via the includes/pages/redirect.php page parameter.
Analyzing vulnerability vectors…
Your command center for real-time vulnerability intelligence — built for security professionals who need answers fast.
Full Pro access — no charge for 14 days. Cancel any time before your trial ends and you won't be billed.