A huge security hole has been found in popular ecommerce platform Magento, requiring an immediate update.
Critical cross-site scripting vulnerabilities have been found in both versions 1 and 2 of the platform. They can be exploited just by registering with a spiked username or email address – making it an obvious target for automated attack.
The holes can be used to effectively take over a Magento store, putting both user data and credit card data at risk.
In other words: if you are running a Magento platform, stop whatever you are doing and get patching. You can expect your site to be tested within the next day.
The size of the problem is potentially huge: Magento is the internet's fourth most-popular CMS, with roughly three per cent of the market (behind WordPress, Joomla and Drupal). That means potentially millions of websites will be affected.
The company described the worst hole thusly:
There are a range of other critical and high-risk security vulnerabilities that have also been identified and patched in the updates. ®
Updated to add
A spokeswoman for Magento's developers have been in touch to say about 250,000 websites were affected by the aforementioned vulnerabilities, and not the 13 million some people had estimated.