Magento releases patches when it finds any vulnerability in the system to make system more secure.
Hacker can run the malicious code and try to create one fake admin user with all rights in the Magento database leveraging SQL injections. If you think, your website has been hacked, then please try to find usernames in your database: admin_user and ypwq, as these are the names hackers are using so far.
Why You should fix this as soon as possible?
Check Point researchers recently discovered a critical RCE (remote code execution) vulnerability in the Magento web e-commerce platform that can lead to the complete compromise of any Magento-based store, including credit card information as well as other financial and personal data, affecting nearly two hundred thousand online shops.
Download the patch
You can download the latest patches from the official website of magento,here is the link : https://www.magentocommerce.com/products/downloads/magento/
There are few ways to install patches, either using SSH and the other one is using FTP or cpanel. Some hosting provider don’t provide the SSH access for your plan, but don’t worry you have other option to follow.
Make sure compilation has been disabled in your store before installing patches. If you haven’t disabled the compiler and installed the patch, test everything and run the compiler to again. It needs to run the compiler to take effect of the code of the patch.
Create a patch.php file
1. After having downloaded the patch files, upload them in the root of Magento via ftp.
2. Make one file with the name of patch.php, write following code in it:
Replace the file name in it, upload it in the root via ftp and run the file from the browser.
Name should be named as the patch file you downloaded and ending with the extension .sh
You should receive following screen once you run patch.php from the browser,
If you are getting error like this:
That means system tools aren’t installed in your server to run the sh script, you can contact your hosting provider or follow another method.