Recently Magento released a major security patch (SUPEE-6788) which closes up holes that could lead to remote code execution, information leaks and cross-site scripting. However, this particular patch has been affecting many, many extensions. This is not a complete list, but if you have installed anything above & beyond the default Magento install, please check out this crowd-sourced Google Doc & then do your research (contact the extension developer directly if you can) about whether your extension may be affected — and take action accordingly before installing the patch.
Note: once you apply the patch, compatibility mode is turned on by default (meaning you’re not protected until this is switched). To enable the security patch once installed, you’ll need to go to system > configuration > advanced > admin …and change “Admin routing compatibility mode for extensions” to “disable”.
Another Note: make sure you have the previous patches applied.
This is how we’d proceed with applying the patch:
- Research all your extensions/custom code
- Backup both live & dev sites
- Apply SUPPE-6788 patch (download here) on dev site & turn off compatibility mode. Dump Magento cache. Test all appropriate functions. Apply extension updates. If everything bodes well, continue on to next step.
- Apply SUPEE-6788 patch on production site & turn off compatibility mode
- Apply extension updates (if appropriate)
- Dump Magento cache
- Test everything from CMS pages, to transaction emails
This is a very simple overview — as always, if you have any questions, let us know!