Just thought I would post a quick notice here about this as I know that people who run CRE Loaded find their way to this site.

If you're not signed up to the CRE Loaded Forums you may have missed it, but a vulnerability was reported in builds of CRE Loaded up to and including version 6.15 back on 10th January.

The problem stems from some parts the WYSIWYG modification which forms part of CRE Loaded. In particular, elements of this function which are used to manipulate files (i.e upload, delete, etc) are accessible from the browser without having to be signed in as admin.

This is quite a nasty one as it doesn't require a great of skill to exploit and allows an attacker to, for instance, upload arbitrary php files and run them on your server. Then its quite a simple task to deface your store, grab customers details, hijack your webspace/bandwidth, attempt a rootkit installation, or any of the other things hackers enjoy doing.

If you haven't done so already I advise you to get the patch from www.creloaded.com and install it as soon as you can. The procedure only takes a minute or two and could save you a lot of repair work if the worst happens!