This article is more than 1 year old

If you're one of millions using Magento – stop whatever you're doing and patch now

Ecommerce websites can be hijacked via critical flaw

A huge security hole has been found in popular ecommerce platform Magento, requiring an immediate update.

Critical cross-site scripting vulnerabilities have been found in both versions 1 and 2 of the platform. They can be exploited just by registering with a spiked username or email address – making it an obvious target for automated attack.

The holes can be used to effectively take over a Magento store, putting both user data and credit card data at risk.

In other words: if you are running a Magento platform, stop whatever you are doing and get patching. You can expect your site to be tested within the next day.

There are two different updates available, depending on whether you are running version 1 or 2. Almost all releases are affected.

The size of the problem is potentially huge: Magento is the internet's fourth most-popular CMS, with roughly three per cent of the market (behind WordPress, Joomla and Drupal). That means potentially millions of websites will be affected.

The company described the worst hole thusly:

During customer registration on the storefront, a user can provide an email address that contains JavaScript code. Magento does not properly validate this email and executes it in Admin context when viewing the order in the backend. This JavaScript code can steal an administrator session or act on behalf of a store administrator.

There are a range of other critical and high-risk security vulnerabilities that have also been identified and patched in the updates. ®

Updated to add

A spokeswoman for Magento's developers have been in touch to say about 250,000 websites were affected by the aforementioned vulnerabilities, and not the 13 million some people had estimated.

More about


Send us news

Other stories you might like