A significant security vulnerability has been identified in a popular Magento caching plugin, exposing online stores to remote code execution attacks without requiring login access or administrative credentials. This vulnerability, affecting the Mirasvit Cache Warmer extension, was discovered by security experts at Sansec.
Details of the Vulnerability
The flaw, designated as CVE-2026-45247 and rated with a critical severity score of 9.8 on the CVSS scale, involves an unauthenticated PHP object injection. Mirasvit Cache Warmer is utilized by thousands of Magento and Adobe Commerce stores to enhance page load times by preloading cached pages. However, the plugin’s method of handling session data poses a serious risk.
The vulnerability arises because session data embedded in cookies is sent to the server, where the plugin processes it using PHP’s unserialize() function without any class or authentication restrictions. This allows attackers to manipulate the cookie to inject arbitrary PHP objects, leading to Remote Code Execution (RCE) when combined with existing Magento classes.
Impact and Scope
This vulnerability is prevalent across all Mirasvit Cache Warmer versions prior to 1.11.12. The plugin is often included in other Mirasvit packages, potentially affecting many unsuspecting merchants. Sansec’s research identified approximately 6,000 active stores using Mirasvit extensions, with the true number likely higher due to CDN obfuscation.
The attack vector affects every request to the storefront, making any Magento store with public visibility a possible target. Web logs may reveal exploit attempts through specific patterns involving CacheWarmer cookies followed by base64-encoded serialized PHP objects.
Mitigation Measures
Mirasvit responded swiftly with a patched release, version 1.11.12, available since May 25, 2026. Store owners are urged to upgrade immediately to mitigate the risk. Additional protective measures include deploying web application firewalls to block serialization exploits, scanning for unauthorized PHP files, and auditing installed packages for embedded Cache Warmer modules.
Sansec Shield clients were preemptively safeguarded from April 24, 2026, coinciding with the discovery of the vulnerability. The CVE designation was officially assigned on May 26, 2026. Given the automatic nature of potential exploitation, unpatched systems remain highly vulnerable to server compromise.
For further insights into securing web applications, a free webinar on OWASP API Top 10 and strategies to enhance visibility using WAAP is available for interested parties.
