Magento Cache Plugin Gives Attackers Full Server Control via Cookie

A Performance Plugin Became a Backdoor

Mirasvit's Full Page Cache Warmer is a performance optimization extension for Magento 2 and Adobe Commerce. It pre-generates cached versions of product pages so customers see fast load times. Store operators install it to improve conversion rates and SEO rankings. In versions before 1.11.12, it also gives any attacker on the internet full remote code execution on the server — through a cookie.

CVE-2026-45247 exploits unsafe PHP deserialization in how the cache warmer processes a specific cookie value. No authentication is required. No admin access. No account of any kind. An attacker sends a crafted HTTP request with a serialized PHP object in the cookie, and the server executes arbitrary code. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on June 3, confirming active exploitation in the wild.

The PHP Deserialization Problem

Unsafe PHP deserialization is a vulnerability class that the PHP security community has warned about for over a decade. When a PHP application calls unserialize() on user-controlled input, an attacker can inject objects that trigger arbitrary code execution through magic methods (__destruct, __wakeup, __toString). The Mirasvit cache warmer passed cookie data directly to unserialize() without validation or sanitization.

Magento 2's codebase contains numerous PHP classes with exploitable magic methods — the so-called 'gadget chains' that turn a deserialization call into code execution. The cache warmer did not need to contain vulnerable classes itself. It only needed to deserialize attacker input in a context where Magento's own classes were available. The Magento autoloader provided the rest.

The E-Commerce Attack Surface

Mirasvit is one of the most popular third-party extension vendors in the Magento ecosystem. The Full Page Cache Warmer is installed on thousands of production stores. The exact installed base is not publicly disclosed, but Mirasvit's marketplace listings show the extension among their top sellers.

Speed Optimization as Attack Surface

The irony of CVE-2026-45247 is structural. Store operators installed the cache warmer to improve performance — faster page loads, better Core Web Vitals, higher search rankings, improved conversion rates. The performance optimization introduced a critical unauthenticated RCE. The plugin designed to make the store faster made it completely compromisable.

This pattern repeats across the Magento ecosystem and other plugin-heavy platforms. Performance plugins, SEO extensions, analytics integrations — each one adds code that runs in the application's security context. Each one is a potential entry point. The Magento Marketplace does not mandate security audits for third-party extensions. Vendors self-certify.

Framework Choice and Plugin Risk

WebPulse has tracked over 18,000 CVEs across WordPress and its plugin ecosystem. Magento's extension marketplace follows the same pattern: a core platform with a sprawling ecosystem of third-party code running with full application privileges. The vulnerability is not in Magento's core — it is in a third-party extension that store operators chose to install.

For Magento store operators, the immediate action is to upgrade Mirasvit Full Page Cache Warmer to version 1.11.12 or later. Given the CISA KEV listing and confirmed active exploitation, any store running an affected version should assume compromise and conduct a full forensic review of server access logs, file integrity, and database contents.