Magentos Latest Security & Feature Updates (2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15)

Magento's Latest Security & Feature Updates (2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15)

Magento has rolled out a new batch of patch releases - 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, and 2.4.5-p15 - with a strong focus on security, stability, and forward-looking platform improvements. If you're running any of these versions, now's a good time to get your environments patched and tested.

Here’s what’s new and why it matters:

SessionReaper Fix (CVE-2025-54236)

The October patches include SessionReaper (CVE-2025-54236) - one of the most critical Magento vulnerabilities in recent history, with a CVSS score of 9.1/10. Originally patched via emergency release on September 9, 2025, this vulnerability allowed unauthenticated attackers to take over customer accounts and potentially execute remote code through the REST API. The October releases ensure this critical fix is applied across all supported version lines.

XSS Fixes

Multiple Cross-Site Scripting (XSS) vulnerabilities have been resolved in this release:

• CVE-2025-54264 (Critical, CVSS 8.1): Stored XSS enabling privilege escalation
• CVE-2025-54266 (Important, CVSS 4.8): Stored XSS enabling arbitrary code execution

These fixes tighten up input validation and output escaping, particularly in the admin panel, closing the door on potential injection exploits that could compromise store security.

CSP Collector & SRI Enhancements

Magento's Content Security Policy (CSP) and Subresource Integrity (SRI) systems have been enhanced with a more efficient file-based collector. This change improves the way Magento stores and serves CSP/SRI data - boosting both security and performance for storefronts that rely on these modern browser protections.

LoginAsCustomer Security

The LoginAsCustomer feature now includes additional validation and access control checks. This hardens one of the more sensitive admin tools, ensuring only properly authorised users can log in as a customer for support or troubleshooting purposes.

Admin Sales Order ACL Improvements

Admins now benefit from improved permission verification during order creation. These ACL (Access Control List) enhancements prevent unauthorised users from creating or modifying sales orders, further tightening backend security controls.

Major Updates You Shouldn't Miss

TinyMCE Replaced by Hugerte

Magento has officially replaced TinyMCE with Hugerte - an MIT-licensed fork of the popular WYSIWYG editor. If your store relies on CMS content blocks, custom widgets, or WYSIWYG-based modules, you’ll want to test all editor integrations carefully. Hugerte is largely compatible but may introduce subtle behavioural changes.

New Module: Magento_Stomp

A brand-new module - Magento_Stomp - has been added, introducing enhanced queuing capabilities with support for both RabbitMQ (AMQP) and Apache ActiveMQ Artemis (STOMP). This offers greater flexibility in message queuing and scalability, particularly for high-volume stores or custom integrations relying on asynchronous message handling.

What You Should Do Next

• Apply the latest patch for your Magento version.
• Test all CMS content that uses WYSIWYG editors (due to the Hugerte change).
• Review your admin roles and permissions after updating, especially if you use custom ACL configurations.
• Monitor your queue integrations if you leverage RabbitMQ or ActiveMQ.

Keeping your store up to date isn't just about staying secure - it's about staying stable, compliant, and future-ready.

If you'd like help assessing or applying these updates, our Magento Support Team can handle it for you - testing, deploying, and validating everything safely in your staging environment before it hits production. This level of proactive patch management is included as part of our fixed-fee monthly support.