Themeforest and EM New SQL Injection Vulnerability?

tips-and-tricks

#1

Got this message from Magento. What do we do? What is the next step?
Personally I am using theme “Fashionista”. Should I update it or change it?
Thank you in advance

Third-Party Themes and Extensions Are at Risk
We recently learned that an SQL injection vulnerability has been found in several third-party themes and extensions. Extensions with the vulnerability include:
EM (Extreme Magento) Ajaxcart
EM (Extreme Magento) Quickshop
MD Quickview
SmartWave QuickView
These extensions are used in several different themes, including Porto, Trego, and Kallyas from SmartWave. Other SmartWave themes may also be at risk. Vulnerable EM modules are used in some EM themes. The core Magento application is not impacted in any way by this vulnerability.
We’ve received reports that the SQL injection vulnerability is potentially being exploited. If you currently use these extensions or themes, you should immediately contact the company from which you purchased the extensions or themes to request updated code. We understand that Themeforest, part of Envato Market, has already removed the vulnerability from the Porto theme, but the status of other themes and extensions is unknown.
It is also important for you to evaluate all your Magento administrator accounts to make sure there are no unknown users and to reset all your administrator passwords. Please review the Magento Security Best Practices for more information on how to secure your site and use magereport.com to scan your site for missing patches or known issues.
This update is part of our ongoing commitment to advise our merchants on security issues as we become aware of them. We thank you for your attention to this matter.
Best regards,
The Magento Team


Continuous Downtime On ThemeForest
#2

I am also very concerned. I use Envato Market Neoshop theme. Recently, had a situation where someone hacked into my magento website from outside the US and purchased quite a few products as a guest and then gave himself or herself a 30% discount. My magento store is not configured to allow customer use any country’s billing or shipping addresses other than USA. I feel so vulnerable right now and I would like answers about issues surround sql injection. I would like to know what EM is doing about this and what patches they have for us, especially in the light of this recent Magento’s exposition. Thanks