Security has always been a priority at J2Store ensuring that all our products are safe from any exploits. Today, a security analyst provided us with an insight pointing to a security vulnerability that may lead to an unwanted SQL Injection attack.
This is made possible due to an array of integers that was found not escaped and only affects the sites that use the product options. J2Store versions 3.x to 3.3.6 are affected.
Therefore we released an update - J2Store 3.3.7 - addressing the issue.
If you are using versions prior to 3.3.7, kindly update to the latest version as soon as you can. Should you need any assistance with updating to the latest version, please get in touch with us through the support request form
Our support staff will be able to assist you with the update to the latest version.
If your subscription for J2Store PRO license expired, no worries. Use the following coupon to get 25% discount for purchasing/renewing the PRO license again: WELCOME25
We understand that not all of you are ready to update your site immediately or you might be running a customized J2Store versions. We have created a simple gist with instructions to patch the vulnerability.
Fix for J2Store 3.3.2 and lower
Go to: https://gist.github.com/rameshelamathi/6731ad8d2ec4be8d37d1195ae7d972e3
Fix for J2Store 3.3.3 to 3.3.6
You can follow the instructions to patch the vulnerability.
All credits goes to Andrei Conache for discovering this issue.
If you have any further questions, please free to reach out using the support request form