Magento has just released the newest security patch for Magento 1.x and 2.x called SUPEE-7405. The patch is mandatory for every Magento installation, and it is recommended to install the patch as soon as possible. The patch addresses multiple security issues in Magento.
This patch fixes the following vulnerabilities: cross-site scripting security issue, block cache exploit, SQL injection via layered navigation, CAPTCHA bypass, Cross-site Request Forgery (CSRF), Improper Input Handling and much more. For a complete list of the patched security and functional fixes visit the Magento security center. The patch is available for Magento versions 220.127.116.11 – 18.104.22.168 and 22.214.171.124 – 126.96.36.199. Before you install this patch it is required to install all other patches to completely update your system.
USPS Patch (SUPEE-7616)
This small patch is also available as of today and fixes several changes to the USPS shipping method. USPS recently made several changes to their services, rates, and package names which made the module for Magento outdated. With this patch installed, the module is updated to be compliant with the latest USPS changes. It includes the following changes: Standard Post renamed “Retail Ground, Flat Rate Box for Priority Mail Express Eliminated & more. This patch does not fix any security vulnerabilities.
It is highly recommended to install both SUPEE-7405 and SUPEE-7616 to future proof your store. The patches need to be installed anyway, as the next batch of security patches will require these to be installed.
You can download both security patches from the official Magento download page. (Navigate to “Release Archive”, and scroll down for a bit. You’ll see the patches listed. Choose your installation version and download the file.
You can find a complete guide to installing a Magento patch here.