A patch has been released to fix a remote code execution vulnerability in both Magento Enterprise and Community Editions.
In February, Check Point researchers announced that they released details of the critical RCE (remote code execution) vulnerability in the Magento platform. Checkpoint originally found this exploit back in February and contacted Magento privately regarding the issue. Magento then released a patch (SUPEE-5344) and is available here. The vulnerability is being referred to as Magento Shoplift and could potentially allow an unauthenticated attacker to execute PHP code in an affected server.
Magento has been contacting its clients with details of this vulnerability to both Community and Enterprise versions. If you are running an un-patched vulnerable version of Magento, a message should also be displayed upon logging into your admin interface informing you that patching is needed. This security issue is specific to the Magento core and is unrelated to any specific plugins or themes that you may be running.Posted in: Nexcess