In my version (4.1.10) the following security measure is implemented in the config.php file.
Code:
#
# The constant FRAME_NOT_ALLOWED forbids calling X-Cart in IFRAME / FRAME tags.
# If you do not use X-Cart in any pages where X-Cart is displayed through a
# frame, this option can be enabled to enhance security. This option prevents
# attacks in which the attacker displays X-Cart through a frame and, using web
# browser vulnerabilities, intercepts the information being entered in it.
#
define("FRAME_NOT_ALLOWED", true);
Should this not stop the attack which you are talking about?