What is SQL Injection?
SQL Injection is basically a type of injection attack where in the user adds up an SQL query to the application that helps the attackers to read, modify or exploit the data from the database. SQL Injection is vulnerable in database-driven websites.
SQL Injection error occurs if:
- The input data to the program is from an untrusted source
- The Data is used dynamically to construct SQL query
Magento Themes and Extensions with SQL injection vulnerability
Magento detected several third-party themes and extensions with SQL injection vulnerability. Following are the Extensions with the vulnerability:
- Ajaxcart by EM(Extreme Magento)
- Quickshop by EM(Extreme Magento)
- Quickview by MD
- QuickView by SmartWave
These extensions are used commonly in themes, including Trego, Porto, and Kallyas from SmartWave. Some more themes by SmartWave may also be at risk. Certain vulnerable EM modules have been used in some EM themes. However, the core Magento application has not been impacted in any way with this vulnerability.
SEE ALSO: HOW TO UPGRADE MAGENTO 1.9.2 TO 2.0
If you are using the above mentioned extensions or themes, you must immediately contact with the company from which you have purchased the extensions or themes to request for an updated code. Themeforest by Envato Market has removed the vulnerability from the Porto theme, but the status of the other themes and extensions is still unknown.
For more information, you can check best Magento Security Practices. If you need a Magento Expert for your ecommerce website, feel free to contact us.
SEE ALSO: Primotech Magento Services