We have posted a recommended update to Site Store Pro and WPCartPro search module to avoid a potential false-positive error during a website PCI SCAN.
This update is not required since it is not a critical security patch but it is recommended to install this patch on any live PHP cart install to avoid a potential XSS error alert on the search engine’s keyword field when using a very specific XSS scanning profile that some ASV’s are now employing as of January 22, 2015 with the latest Nexus scanning engine.
The download (install) zip files for both the new API (mysqli) based cart (version 2.1501i) that was released on January 12th and the previous PHP responsive and non-responsive carts (any version prior to 2.1501) have already been updated with this modification so any new installs will already been patched.
To patch your current live installs to avoid a false-postive XSS vulnerability error on the keyword search field during a site PCI scan, please download the install the patch via the URL below.
(Instructions on installing the patch for your specific version are included in the README.txt file inside the downloaded zip file).
If you need assistance installing the patch to your install or if you are using a customized search module (include file) and not using the default version of any of the following three files, please contact support for assistance in patching your custom search code:
/sitestorepro/includes/sspro_search_builder_responsive_mysqli.php (Version 2..1501)
/sitestorepro/includes/sspro_search_builder_responsive.php (Any version before and including 2.1410)
/sitestorepro/includes/sspro_search_builder.php (Any version before and including 2.1410)
If you are unsure if your install is using a customized search module, simply login to your admin area, go to
“Store Setup > Admin Features > Store Customizations” and search the page for the following two files in versions prior to January 2015
Or for the latest API release (Version 2.1501i), search for :
If any of the above files are highlighted in yellow and list a non-default (custom) file name as the ACTIVE file, then your install is using a custom search module.