On November 11th, our Team uncovered a major vulnerability in the OpenCart based Joomla Extensions MijoShop and AceShop that allows any malicious user to get access to your website.

The threat level is very high and we urge any user that has a live installation of these two 3rd-party extensions to act immediately! We advise that users should ask the developers of these extensions for a security-update, but in the meantime we provide an easy fix for both extensions, in order to help the webmasters community.

We have confirmed the vulnerability in MijoShop version 2.4.x and 2.5.x, Aceshop version 4.1.x
At the moment of the discovery the latest versions (all affected) were MijoShop 2.5.1 and Aceshop 4.1.3

Update - Mijoshop 2.5.2 is out including the fix for this issue. We urge users that have active subscription to download the official update from the developer website.

To fix this vulnerability please do the following:

1. Download the VQMOD patch from here.

Unzip it - it should contain a single XML file ace_mijo_vulnerability_patch.xml 

2. Login into your admin backend and go to Opencart VQMod manager (System/VQmod Manager)

3. Upload the patch

4. Check that the patch appears in the VQMOD list

This should make sure that you are safe until the developers address this vulnerability, hopefully as soon as possible.