A new vulnerability in the Magento e-commerce platform could be remotely exploited to take over sites and steal client information, researchers have discovered.
Security vendor Sucuri discovered a stored cross-site scripting (XSS) vulnerability in the core system libraries for Magento Community Edition version 18.104.22.168 and earlier, and the Enterprise Edition version 22.214.171.124 and older.
The critical flaw could be triggered by sending an email to adminstrators.
Sucuri reported the bug to Magento's security team early in November last year. Magento acknowledged the vulnerability on 1 December 2015, but did not issue a patch until 21 January 2016.
The Magento SUPEE-7405 patch bundle fixes the stored XSS flaw, which can also be abused to create admin users and execute commands with full superuser rights.
Another stored XSS vulnerability, also rated as critical, is patched with SUPEE-7405, along with 18 other security flaws.
The popular e-commerce platform has a chequered history when it comes to security. In April last year, researchers discovered the "Shoplift" flaw in Magento that allowed attackers to take full control of online stores.
Magento users have also been slow to patch their installations against vulnerabilities, potentially exposing themselves and their customers to considerable financial and reputational risks.
E-commerce retailer eBay sold Magento to London-based private equity firm Permira in November last year.