This part is for those who does use X-Payments:
As you may already know right after OpenSSL Heartblead vulnerability a new one has been found in SSL protocol - POODLE.
The POODLE vulnerability is a weakness in version 3 of the SSL protocol that allows an attacker in a man-in-the-middle context to decipher the plain text content of an SSLv3 encrypted message.
You can read more about POODLE at
Please note - this is NOT a vulnerability in X-Payments or X-Payments connector modules for X-Cart. This is a vulnerability in ciphering software used by almost any server in the Internet to establish secure connections.
What needs to be done:
1) X-Cart 4 users - apply xc4_xp_no_force_ssl3.diff
patch to your X-Cart that will disable forced use of SSLv3 and enable automatic selection of TLS or SSL so if your hosting provider disabled SSLv3 support for your X-Payments installation your X-Cart will be able to connect with X-Payments using TLS.
Or you can download our new connectors for X-Cart 4 at
They have been updated today to have the patch out of the box.
X-Cart 5 users - install the latest version of X-Payments connector
available at the X-Cart 5 Marketplace.
2) make sure your server where you run X-Cart uses cURL v 7.18.1 or newer.
If you use X-Payments Enterprise/Downloadable license - check the same for your X-Payments server.
If your cURL is older - update it.
If you have no idea what is cURL - consult with your hosting admin.
And since I mentioned the OpenSSL Heartbleed - check your OpenSSL version - it should be at least 1.0.1g
If you do not use X-Payments - go straight at http://forum.x-cart.com/showpost.php?p=379153&postcount=57