Critical Vulnerability in Magestore Store Locator and Store Pickup Magento 2 Extensions

Magestore has been a Magento Extension Development team for over 10 years. A critical vulnerability has been discovered in two of their more popular Magento 2 extensions. Specifically, their Store Locator AND their Store Pickup extensions. Keep in mind that if you’re using a Magestore POS or Omnichannel solution, you may be leveraging one of these extensions in your website.

Magestore has made a patch available to address this critical vulnerability: https://blog.magestore.com/store-locator-extension-patch/

If you have either extension installed and are not using it, we advise you to disable the extension immediately. It is a best practice to disable any extension that you’re not actively using. This minimizes site maintenance and security threats. Keep in mind that much like Magento itself, extension developers do put out updates and patches from time-to-time, so auditing and updating your Magento extensions as part of your overall site-maintenance schedule is highly recommended.

If you have this extension installed and intend to keep using it, we recommend deploying this patch as soon as possible. Please be sure to adhere to your normal deployment best-practices, which should include testing the patch in a staging environment.

It will also be important to check for signs that this vulnerability was already exploited in your website. This can include tasks such as auditing your site for admin user accounts that were created without your knowledge and checking for suspicious database queries.

Background on Magestore and their extensions:

Magestore has historically been one of the more popular Magento extension development teams for many years, offering a wide variety of paid extensions. They have more recently switched their focus from offering many one-off extensions to offering a Point of Sale (POS) solution for Magento stores.

Magestore is still offering 3 extensions in the Magento Marketplace (their Banner Slider, Facebook Login, and Vietnamese Language Pack extensions). These extensions are being offered for free, but reviews are mixed. Magestore is, however, still recognized as a Magento Premier Extension Builder.

Regarding their old extensions, Magestore is no longer offering their old catalog of extensions for sale. They do not appear to be offering any extensions for purchase outside of their bundled Omnichannel / POS solution:

Additionally, if you still own any Magestore extensions, be aware that Magestore is not putting out any feature updates, nor are they offering any customization or other services related to their old extensions.

If you own any Magestore extensions, you’ll want to keep this in mind. If, for instance, you’re upgrading between Magento version (say, from 2.1 to 2.3), and you have compatibility issues, you won’t be able to rely on Magestore’s support for assistance. That means there may be cases where it makes sense to replace a Magestore extension rather than debug it.

Recommended Resources:

– If you’re still worried about the safety and security of your Magento website, we recommend taking advantage of the Free Magento Security Assessment offered by the JetRails team.

– Additionally, a Website Access Firewall (WAF), such as the one provided by Cloudflare, can provide an additional layer of security for your website. JetRails has created free Cloudflare Extensions for Magento 1 & 2 to help you more easily manage Cloudflare right from your Magento admin.