We use cookies to understand how you interact with our site, to personalize and streamline your experience, and to tailor advertising. By continuing to use our site, you accept our use of cookies and accept our Privacy Policy.

Your Digital Commerce Experts
Nexcess Logo

New Magento Vulnerability Targets WYSIWYG Editor: Patch Details Here

December 12, 2013

A patch has been released to fix a remote code vulnerability in some versions of Magento.

The recently discovered remote code execution vulnerability may allow an attacker with administrative privileges to delete files and folders from a Magento installation through an exploit in the WYSIWYG editor. Magento Enterprise Edition stores from versions 1.6.0.0 through to version 1.13.0.2, and Magento Community Edition stores between 1.4.0.0 and 1.7.0.2 are at risk and should apply the patch detailed below. The vulnerability has been fixed in the latest Magento releases and those operating Magento stores outside the above ranges will not require a patch..

Magento site owners can implement the necessary patch by doing the following:

  1. SSH to your server and navigate to your Magento base directory
  2. Execute the following commands:

wget http://pubfiles.nexcess.net/magento/patches/image_patch.sh
sh image_patch.sh

The vulnerability was discovered during Magento’s quarterly penetration testing, with no reports of exploitation in the wild, but all Magento store owners should apply the patch as soon as possible to ensure that their stores remain secure.

Nexcess
Nexcess

Power up your sites and stores with custom-built technology designed to make every aspect of the digital commerce experience better. Make your digital commerce experience better with Nexcess. Visit Nexcess.net today and see how we can help.