J2Store 3.3.8 released with important security updates

Security has been a top priority at J2Store. We have been working with security experts for long and continue to audit our code base.

In a recent audit, we have discovered a possible cross-site scripting (XSS) vulnerability that affects versions from J2Store 3.x to 3.3.7. 

We have fixed the issue and published an update - J2Store 3.3.8

In addition to the security fix, we have also squashed a number of bugs in the 3.3.8 version. Key fixes include:

  • Article Category based ordering has been improved and made more flexible in product list views.
  • Terms and conditions and Quickview now uses FancyBox model as the bootstrap based model is often conflicted by third party extensions
  • Save as copy in flexible variable leads to the variants being ported to the copied article.
  • Mini stats module displays wrong total in the Yesterday column - combining yesterday and today sales
  • Postal code field now only allows Alpha Numeric value
  • Issue with deleting the variants in flexible variable
  • Discount message not showing in related products
  • Country ordering in the estimate shipping should be alphabetical


Update Now

If you are using versions prior to 3.3.8, we strongly advise you to update to the latest version as soon as possible.

Should you need any assistance with updating to the latest version, please get in touch with us through the support request form

Our support staff will be able to assist you with the update to the latest version.

Download J2Store

Here is the complete changelog for J2Store 3.3.8

Subscription Expired?

If your subscription for J2Store PRO license expired, no worries. Use the following coupon to get 25% discount for purchasing/renewing the PRO license again: WELCOME25



We understand that not all of you are ready to update your site immediately or you might be running a customized J2Store versions. We have created a simple gist with instructions to patch the vulnerability.

Please follow the steps below to implement the patch

NOTE: This requires you to use your favorite FTP client (example Filezilla) or your cPanel's File Manager


1. Take a FULL BACKUP of your site using Akeeba Backup or any other backup tool of your choice

2. BACKUP. Stressing this point again as the patching involves editing core files

3. Follow the instructions here:


All credits goes to Andrei Conache  for discovering this issue.


If you have any further questions, please free to reach out using the support request form

Subscribe to get updates from us