The popular e-commerce CMS platform, Magento, announced multiple security updates to their commerce and open source versions on March 26, 2018. More than 250,000 active Magento installations are affected by this security flaw, including versions 2.1 prior to 2.1.17, 2.2 prior to 2.2.8, and 2.3 prior to 2.3.1.
Among the thirty-seven vulnerabilities identified, the most critical are a SQLi injection (SQLi) vulnerability, remote code execution (RCE), cross-site scripting (XSS) and a cross-site scripting remote forgery (CSRF) vulnerability. These vulnerabilities allow attackers to gain unauthenticated access to online websites, which could have major data breach consequences for website owners.
It’s encouraged that every Magento site owner updates to the latest version immediately to help protect their e-commerce online store. Users that have not updated to the latest version of Magento should be aware that they are leaving their database vulnerable to attackers seeking sensitive data, such as consumers’ usernames, password hashes, contact information, and most importantly, credit card details. As a best practice, users should always keep their themes, plugins, and core files up to date. For an entire list of the vulnerabilities patched, visit Magento’s security patches page.
Magento sites protected by SiteLock INFINITY are protected from this vulnerability and will see these patches applied automatically when their next automated scan runs. Download the latest version of Magento to take advantage of the latest security updates.
If you would like to protect your Magento site today with automated malware removal and core CMS vulnerability patching, contact SiteLock today and ask about INFINITY. We’re available 24/7 via phone, email, or live chat to help.