Home
Menu
 Get a Demo

Action Required!

We have detected malicious activity towards X-Cart stores on versions 5.0.x- 5.4.1.x. Your X-Cart store is based on the affected version. As a result, a cybercriminal can gain full admin access to your online store.

You don’t have to do anything if your store is hosted on the X-Cart server. We’ve already fixed the vulnerability on your behalf. If you are using your own hosting service, please follow the steps below to resolve the issue.

The vulnerabilities include the following unautorized changes in your store’s settings*:
  • unauthorized creation of a new root admin,
  • email addresses in Store Setup → Store profile → Contacts,
  • settings changes in Store Setup → Localization → Time zone
  • new PayPal Express Checkout linked to an unauthorized email address
  • changes made to the year when the store opened

If you are using the X-Cart 5.4.1.x edition, you must immediately upgrade your X-Cart store to 5.4.1.48 version to resolve the issue.Upgrade your store on your own or contact us to implement the upgrade on your behalf.

Contact Us

To fix the vulnerability and ensure your store is secure, follow the steps below:

  1. Delete ./Includes/install/ subfolder and its contents from ./Includes/ folder from your store’s files on the server
  2. Go to Admin panel → Store → Users to check all Administrator accounts. Remove the service-client@x-cart.com admin or any other unauthorized emails.
  3. Check and correct the settings mentioned above.* Restore your regular settings and ensure that all unauthorized changes have been deleted. 

  4. Block requests to read configuration files at the server level:

    Nginx if ($args ~ (config.php|config.local.php|.env)) { return 403; }
    Apache <IfModule mod_rewrite.c> RewriteEngine on ApacheRewriteOptions InheritDown RewriteCond %{QUERY_STRING} (config.php|config.local.php|.env) [NC] RewriteRule .* – [F,L] </IfModule>
  5. Change Installer auth_code. To do that, find the auth_code setting in the etc/config.php configuration file and replace its value with a random 32-character string.
  6. End all admin sessions and change all admin passwords. Log out all admins, including the one you are currently working under. To log out an admin, go to Users → Admin’s profile, and click Log out this user.
  7. Regenerate Safe Mode key if you are using an X-Cart version older than 5.4.0.0. To do that, go to admin.php?target=safe_mode and click Regenerate links.
  8. Regenerate API keys. If you have the XC-RESTAPI module installed, go to Admin Panel → My apps → My addons. Find the XC-RESTAPI module and change the API keys in its settings if they are not empty.

Contact us and we’ll deploy the fixes and delete unauthorized users on your behalf as part of your active support package.

Contact Us

Get in Touch with X-Cart

    Watch how X-Cart works

    Leave your contact details and you will be redirected to the page with free videos about the X-Cart features. One of our experts will get in touch with you shortly to discuss details.

      By proceeding, you agree to the Terms of service, and authorize X-Cart to send you promotional messages via SMS and Email. You can opt out any time.

      We have received your information!

      Our team will get back to you shortly. For now, we hope you enjoy the X-Cart demo videos.

      Watch X-Cart Demo
      This page will be redirect in 10 sec.

      Thanks, you’re booked!

      Our team will follow up shortly, either by email or phone, to schedule the date and time for the X-Cart demo.

      Back to Homepage
      Case Image

      Meanwhile, discover how X-Cart helped FS Parts overcome complex data and fitment challenges.

      Read More