Last week, Magento released a very important bundle of patches for their eponymous e-commerce platform that should be implemented as soon as possible.
The bundle plugs a number of critical vulnerabilities, including two stored cross-site scripting (XSS) flaws that can be easily exploited by attackers to take over the site’s shop.
Sucuri Security has provided more details about one of these, which has been discovered by their vulnerability researcher Marc-Alexandre Montpas.
“Unless you’re behind a WAF or you have a very heavily modified administration panel, you’re at risk,” he noted.
This vulnerability affects almost every install of Magento CE prior to 220.127.116.11, and Magento EE prior to 18.104.22.168.
Both bugs are critical – can be exploited easily and remotely – so admins are advised to update their Magento installation(s) immediately.