Magento Open Source, 1.9.x

Magento 1.x Security Patch Notice
For Magento Open Source 1.5 to 1.9, Magento is providing software security patches through June 2020 to ensure those sites remain secure and compliant. Visit our information page for more details about our software maintenance policy and other considerations for your business.

Release Notes

Magento Community Edition 1.9.2

We are pleased to bring to you Magento Community Edition, 1.9.2, which provides merchants with many enhancements that make it easier to build and maintain a high quality and secure site.

Important! Use Magento Community 1.9.2 or later for all new installations and upgrades to ensure that you get the latest fixes, features, and security updates.

Solutions for Developers

Magento Community Edition 1.9.2 includes the latest versions of the Zend 1 Framework and Redis integration, as well as refinements to full-page caching that enable more pages to be served from cache. In addition, this release includes many enhancements as part of our commitment to continually improve product quality and to integrate previous patches into the core code.


Stop by our new Magento Security Center, and sign up for the Security Alert Registry to receive direct notification from our security team of any emerging issues and solutions.

SUPEE-6285 Patch Bundle

This bundle provides protection against several types of security-related issues, including information leaks, request forgeries, and cross-site scripting.

SUPEE-5994 Patch Bundle

This bundle includes protection against the following security-related issues:

SUPEE-5344 Patch

Magento Community Edition 1.9.2 provides protection against a specific remote code execution (RCE) vulnerability known as the “shoplift bug,” that allows hackers to obtain Admin access to a store.

  • Patch Details


    Remote Code Execution

    CVSS Severity:

    9.1 (Critical)

    Known Attacks:



    Authentication bypass uses special parameter that allows the execution of Admin action. The Admin action is vulnerable to SQL injection, which allows code to be inserted into the database and executed. As a result, the store can be fully compromised by creating counterfeit administrator accounts and/or installing malware on the server.

    Product(s) Affected:

    Magento CE prior to, and Magento EE prior to

    Fixed In:



    Netanel Rubin

Additional Security Enhancements
  • Access Control List (ACL) nodes without value are now set to DENY access by default.
  • Admin passwords now expire at the specified time.
  • Cross-site request forgery (CSRF) protection issue that interfered with Varnish caching resolved.
  • Cross-site scripting (XSS) exploit that used CACHED_FRONT_FORM_KEY resolved.
  • Data deserialization potential exploits resolved.3
  • .htaccess added to the shell subdirectory.4
  • JavaScript injection potential exploit of the Wishlist resolved.
  • Log permissions more restrictive.
  • Pages served using the HTTPS protocol now POST using HTTPS.
  • PHP bug in libxml that could cause the site to crash resolved.
  • Recurring profiles reinforced against unprivileged access.
  • Remote code execution potential exploits resolved.5
  • REST configuration reinforced against unprivileged access.
  • SQL injection potential vulnerabilities related to Advanced Search resolved.
  • Widget title is escaped correctly.
Changes in This Release
  • Access Control List (ACL) resources have new resources enabled.
  • Cron jobs now execute at the time they were created, rather than the order in which they were created.
  • Google Universal Analytics now includes information about customer orders. The configuration has been streamlined, and includes two account types: Google Analytics and Universal Analytics.
  • Internet Protocol version 6 (IPv6) addressing is now supported.
  • Magento can now be updated from Magento Connect Manager.
  • Prices can be saved with a comma to separate thousands.
  • Products can be downloaded over HTTPS.
  • Redis integration has been updated to the latest version.6
  • XMLConnect module has been updated to ver. 24. The module should be delivered in the “disabled” state.
  • Zend framework has been updated to ver. 1.12.10.
Miscellaneous Fixes
  • OAuth log in page now includes the form_key field.
  • REST call to Mage_Sales_Model_Order no longer returns errors.
  • SOAP API correctly populates the min_sale_qty field.
  • When a partial invoice is created using SOAP V2, salesOrderInvoiceCreate no longer changes the value of $itemsQty in subsequent orders.
  • Additional fields in the SOAP API CategoryInfo method:
  • SOAP WSDL URL (/api/v2_soap?wsdl) no longer appears the Admin, which is unreachable by SOAP.
  • Duplicate attribute sets no longer appear if they are several pages long.
  • Product Visibility set to “Search” works correctly.
  • Resolved JavaScript errors related to one-page checkout.
  • Regions appear in alphabetical order on the checkout page.
  • Customers can register for an account and complete checkout while the compiler is running.
  • The correct content appears in the storefront when the store cookie is set.
  • Widgets can be added to CMS pages.
  • Resolved issues uploading images from the WYSIWYG editor.
  • Thumbnails now appear in the WYSIWYG editor.
  • CMS pages that use the Generic Content layout appear normally.
  • The CMS Preview page uses the current theme.
  • The customer’s middle name or initial appears in both the Admin and storefront.
  • When customers log in to their accounts, the account page appears instead of the last page visited.
  • Saving a customer account from the Admin no longer returns an error.
  • If the customer locale does not require a postal code, the administrator does not have to enter one.
  • In the password reset notification, customer can reset their passwords for the correct store view.
  • The dates that customers and customer addresses were created are now correct.This fix does not apply to customers or addresses created in earlier versions. Only customers and addresses created with Magento Community ver. 1.9.2 show the correct dates.
  • Deleting large numbers of products from the Admin no longer returns SQLSTATE errors.
  • Disabled products no longer appear in the flat catalog table.
  • Resolved an issue that caused the core_cache_tags database table to grow in size.
  • Dataflow now exports products in which images are not used as media attributes.
  • Importing and exporting postal codes with a wildcard (*) works correctly.
  • Custom options are preserved during import.
  • Product imports no longer change the Visibility setting.
  • Reindexing flat catalog category data issue resolved.
  • The Updated at value for all indexers now shows the correct date and time.
  • Reindexing from the command line no longer returns errors in system.log.
  • Duplicate values for multi-select attributes no longer return errors when reindexed.
Magento Connect
  • You can now install extensions without errors using the Database Backup option.
  • Fixed potential issues with extensions.
  • Customers who use the same email address to subscribe to multiple newsletters now receive all newsletters to which they are subscribed.
  • When an order is placed, customers who use the same email address to register with two websites no longer receive notification that they have unsubscribed from a newsletter.
Order Processing
  • Address validation has been enhanced.
  • Printed invoices show the correct price for bundle products.
  • Issues with FedEx error code handling resolved. Choosing FedEx during checkout does not cause a fatal error.
  • Orders can be viewed from the Admin without triggering an error.
  • The percent (%) symbol can be used in order comments. Previously, the percent symbol interfered with the display of order comments.
  • The Fetch button works correctly for Authorize.Net Direct Post.
  • You can change the value of php_value memory_limit in .htaccess without encountering "out of memory" errors.
  • You can change the price of a product using the website scope without errors.
  • Added validation to make sure the special price is not greater than the actual price.
  • Resolved a performance issue related to catalog price rules with a large number of configured quotes.
  • The correct date appears in reports that are configured to run for a month or a year.
  • The Bestseller section of the Dashboard displays the correct prices.
  • The Sales Orders report displays the correct profit calculation result.
  • Rollback now completes without error when running PHP 5.5.
Shopping Cart
  • A message appears when you add an item to your shopping cart.
  • Customers can move unconfigured items from the Wishlist to the shopping cart without encountering an error.
  • Customers can edit Custom Options in a shopping cart without issues.
  • Swatch images no longer change size when clicked in search results.
  • Fixed responsive theme display problem with ZIP/Postal Code field.
  • Implemented correct escape character for translations.
  • International characters can now be used in a Magento storefront domain.7
  • Resolved issues with inline translation links and the Chrome browser.
  • Corrected the spelling of the Austrian province Vorarlberg.
  • Corrected missing translation of a shipping method error message.
  • Chinese locales now appear in the Interface Locale list.

We’d like to thank the following members of the Magento Community for their contributions to this release:

1 Performance enhancements, Thomas Birke

2 Performance enhancements, Ivan Chepurnty

3 Resolution of data deserialization exploit, Matthew Berry

4 Added .htaccess to shell subdirectory, Phillip Jackson

5 Resolution of remote code execution exploits, Netanel Rubin

6 Updated Redis integration, Colin Mollenhour

7 International characters in storefront domain, Yihao Peng