The open source Magento ecommerce platform owned by online retail giant eBay and driving hundreds of thousands of other merchant sites bears a serious vulnerability that could give attackers full control of stores.
Security vendor Check Point discovered the flaw and disclosed it privately to eBay earlier this year.
Check Point said the remote code execution vulnerability means any Magento-based store can be taken over by attackers.
All customer data including credit card details can be captured, as the vulnerability provides full access to Magento users' complete databases, Check Point said.
The compound vulnerability means unauthenticated attackers can chain several security flaws to execute PHP code on webservers. It affects both the Community and Enterprise editions of Magento.
While a patch - SUPEE-5344 - was released in February, Check Point believes hundreds of thousands of Magento stores remain vulnerable to full compromise.
However, Check Point researcher Netanel Rubin, who is credited with having discovered the vulnerability, added that the company is not aware of any current exploitation of the security flaw.
Full technical disclosure of the flaw will be released by Check Point in the coming days, with the possibility of a working proof of concept that can be used to compromise sites. Administrators of Magento sites are advised to patch against the flaw as soon as possible.