In case you missed it, Magento published a security patch for an unauthenticated SQL injection vulnerability on Monday, March 26th. This critical issue affects Magento versions 2.2.0 to 2.3.0. If exploited, the vulnerability allows hackers to take administrative control of your Magento store, install backdoors, and generally wreak havoc on your system.
Magento’s patch addresses the bug as well as a host of other vulnerabilities. At FortyFour, we began patching our sites directly after the release and recommend all merchants patch their sites immediately. The company that identified the bug published a blog post that details how it was discovered, how to execute the attack, and which files are involved. The proof of concept exploit is available to the public on Github.
It goes without saying that security issues like this one are critical for an e-commerce business. Whether you’re a merchant with a Magento store or a Magento development partner, this type of vulnerability jeopardizes your customers’ trust. If your site is compromised, sensitive personal and financial information is at risk, which, of course, has major implications for the affected individuals as well as the website owners.
As always, unpatched stores are most vulnerable just after the patch is released to the public. That’s why FortyFour guarantees a one-day turn-around for our clients on all security patches. If you need your Magento store patched or want to check if this patch applies to you, contact us at firstname.lastname@example.org.