source: https://www.securityfocus.com/bid/10534/info

A vulnerability exists in the software that may allow a remote user to launch cross-site scripting attacks. The problem is reported to exist due to improper sanitizing of user-supplied data in the 'shoperror.asp' script.

An attacker can exploit this issue to steal cookie authentication credentials, or perform other types of attacks. 

VP-ASP versions 5.0 and prior may be prone to this issue. It is possible that a vendor-supplied fix addresses this issue, however, this has not been confirmed at the moment.

http://www.example.com/vpasp/shoperror.asp?msg=<img%20src="javascript:alert('XSS')">
http://www.example.com/vpasp/shoperror.asp?msg=<meta%20http-equiv='refresh'content=
'0'>