Critical Security Advisory for All Versions of Magento Enterprise Edition and Magento Community Edition

The remote code execution (RCE) vulnerability, or “shoplift” bug, was reported to us by Check Point Software Technologies in late January 2015. It affects both Magento Enterprise Edition and Magento Community Edition and allows attackers to obtain control over a store and its sensitive data, including personal customer information. Magento issued a patch for this issue on February 9, 2015.


To determine if your site has been patched, enter your URL in the search box above.


If your site has not been patched, we strongly urge you to implement the following patches to address the issue highlighted by Check Point Security Technologies, as well as a previous issue resolved in October 2014 (SUPEE-1533). All Enterprise Edition patches can be found in the Magento Support Portal and Community Edition patches can be found on the Magento Community Edition download page.

Enterprise Edition Patches:

  • If you are on Magento Enterprise Edition, then you are protected, as both patches were integrated into this build
  • If you are on Magento Enterprise Edition E, then please apply patch SUPEE-5344 only. SUPEE-1533 was integrated into this build
  • If you are on Magento Enterprise Edition to, then please apply both patches, SUPEE-5344 and SUPEE-1533
  • If you are on Magento Enterprise Edition and lower, then please apply SUPEE-1533 and the appropriate patch for your version:
    • Magento Enterprise Edition 1.12.0.x:
    • Magento Enterprise Edition thru EE
    • Magento Enterprise Edition 1.11.0.x:
    • Magento Enterprise Edition 1.10.1.x:
    • Magento Enterprise Edition thru

Community Edition Patches:


We recommend that you look for the following signs to determine if your site has potentially been compromised:

  • Check your list of administrator users for unknown accounts. We have seen vpwq and defaultmanager being used, but any unknown account is suspicious
  • Check your Magento installation for any unknown files that were recently created and are suspicious. Compare all files to your code repository or staging server.
  • Check server access log files for request POST /index.php/admin/Cms_Wysiwyg/directive/index/ coming from unknown IP addresses.
  • Run a tool to check for trojans (e.g. chkrootkit)
  • Check for wrong permissions
  • Check for hidden files
  • Check for suspicious ports being opened (command: netstat -nap | grep LISTEN )
  • Check for any port redirections on OS level (sample command: iptables -L -n)

If you suspect that the site is compromised, contact the security department of your hosting company for an audit.


If you have several sites to check or you simply prefer to use our API, send a request like this:

$ curl{domain}/{admin path}

Optionally, you can force the API to check in https mode:

$ curl{domain}/{admin path}/https

Finally, if your admin path is more than one level deep, replace slashes with exclamation points, like this:

# /my/long/admin/path becomes:
$ curl{domain}/my\!long\!admin\!path


While a large number of merchants have successfully downloaded the patch, many still have not done so. Please act now to ensure that your Magento store is secure!