According to announce sent on May 15, 2015 to all Magento installations new security patch SUPEE-5994 should be installed in addition totwo recent shoplift patches (SUPEE-5344 and SUPEE-1533).

Important: New Magento Security Patch – Install it Now
It is important for you to download and install a new security patch (SUPEE-5994) from the Magento Community Edition download page ( Please apply this critical update immediately to help protect your site from exposure to multiple security vulnerabilities impacting all versions of the Magento Community Edition software. Please note that this patch should be installed in addition to the recent Shoplift patch (SUPEE-5344).

New SUPEE-5994 patch can be downloaded as usual from Downloads page:

You can install it in the same way as previous patches. To apply the patches you need SSH access (shell access actually, SSH is just most used way to get shell access) to the server. To apply patches without SSH access

If you wish to save time and have us to install these patches for you, simply click here

Step 0: Preparations

Make sure to Disable Magento Compiler at System > Configuration > Tools > Magento Compiler and clear compiled cache.

Step 1: Verify your Magento version

$ grep -A6 'static function getVersionInfo' app/Mage.php
    public static function getVersionInfo()
        return array(
            'major'     => '1',
            'minor'     => '9',
            'revision'  => '1',
            'patch'     => '0',

As you can see in the example, it is Magento

Step 2: Download corresponding patches

Patches are obtained from

Make sure to get the right version.

Step 3: Place patches into Magento Root directory

Upload your files into Magento root directory. It is important to place patch files directly into Magento root directory and execute it also directly in Magento root directory.

$ ls -1 .


Step 4: Run the patches

$ bash ./
Checking if patch can be applied/reverted successfully...
Patch was applied/reverted successfully.

Step 5: Verification and flush of PHP opcode cache

Verify patch status at our patch tester page.
Test that your store is working. If you use PHP opcode caches (APC/XCache/eAccelerator) make sure to flush it after patching, otherwise code will continue to run from caches.

Additionally, if your store still using default /admin/ path, you may consider restrict access to /downloader/.


Known issues / errors

Tool(s) “patch” is(are) missed, please install it

sh ./
Error! Some required system tools, that are utilized in this sh script, are not installed:
Tool(s) "patch" is(are) missed, please install it(them).

As it is stated in error message patch utility needs to be installed on your system. Installation is usually done with superuser privileges, so make sure you have these. To install patch on Debian/Ubuntu use:

# apt-get install patch


$ sudo apt-get install patch

To install patch on RedHat/CentOS/Fedora use:

# yum install patch


$ sudo yum install patch

can’t find file to patch at input line 334

$ bash ./
Checking if patch can be applied/reverted successfully...
ERROR: Patch can't be applied/reverted successfully.
patching file app/code/core/Mage/Authorizenet/controllers/Directpost/PaymentController.php
patching file app/code/core/Mage/Core/Controller/Varien/Router/Admin.php
patching file app/code/core/Mage/Core/Controller/Varien/Router/Standard.php
patching file app/code/core/Mage/Customer/Model/Customer.php
patching file app/code/core/Mage/Dataflow/Model/Convert/Parser/Csv.php
patching file app/code/core/Mage/ImportExport/Model/Export/Adapter/Csv.php
patching file app/code/core/Mage/Install/Controller/Router/Install.php
patching file app/code/core/Mage/Install/etc/config.xml
patching file app/code/core/Mage/Sales/controllers/Recurring/ProfileController.php
patching file downloader/Maged/Model/Connect.php
patching file downloader/Maged/View.php
patching file downloader/template/connect/packages_prepare.phtml
patching file downloader/template/messages.phtml
can't find file to patch at input line 334
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
|diff --git get.php get.php
|index a7fe802..71ab535 100644
|--- get.php
|+++ get.php
File to patch:
Skip this patch? [y]
Skipping patch.
1 out of 1 hunk ignored
patching file lib/PEAR/PEAR/PEAR.php
patching file lib/PEAR/PEAR/PEAR5.php
patching file lib/Varien/Io/File.php

In the output above it can not find file get.php. To solve it should be enough to place the get.php file from Magento distribution into Magento root directory.