New, related vulnerability and consolidated patch

A new vulnerability directly related to this other security issue was discovered and addressed over the last 48 hours.To learn more and address this latest vulnerability:

  • Log into your store’s Control Panel
  • Click on “Check for Updates” (regardless of whether you are enrolled in the Support & Updates Plan or not: security patches are always available to all users)
  • You will be prompted to download a ZIP archive that includes details on the vulnerability and updated files for your store. Please carefully read the document that describes the steps to take. We have included files to address just this vulnerability or all three recently reported vulnerabilities.

As we discussed in this post, vulnerabilities are part of software, but let us answer a few very legitimate questions that you may have about the events of the last several days.

Why so many vulnerabilities all of a sudden?
The first and this latest announcements actually pertain to the same problem. The vulnerability and the exploit are the same. The issue is that different areas of the application were found to be vulnerable. The second announcement pertained to completely unrelated security issues: the fact that the timing was the same was purely a coincidence.

Why two patches for the same vulnerability?
When a vulnerability is found, we are caught in a dilemma: (a) immediately issue a patch to address the problem, or (b) wait to research whether there are any other areas of the applications that might be affected by the same or similar issue.

If we go with (a), other issues could be found after a more in-depth review. If we go with (b), the security issue that we know exists remains unaddressed for a longer period of time.

That’s what happened in this case. We went with option (a), but additional, related issues were found in the following days. That’s why we had to release this latest patch, even if the vulnerability is the same one reported several days ago.

Do I have to apply the three security patches separately?
No, we have created a consolidated patch that includes updated files for all three issues. Log into your store’s Control Panel and click on “Check for Updates” to retrieve the file. Carefully read the enclosed PDF instructions for detailed information on what to do.


While we remain on high alert for any other possible issue, we want to take a moment to give a heartfelt “Thank You!” to everyone in the ProductCart community that has been collaborating with us to research and address these vulnerabilities as quickly as possible.

Special thanks go to Greg Dinger and his team at Greybeard Design Group, who provided extremely useful information throughout the process.

Thanks again and make sure to review and apply this latest security patch, as described above.

The Early Impact Team