New SUPEE-10266 patch ontain multiple security enhancements that help close cross-site request forgery (CSRF), unauthorized data leak, and authenticated Admin user remote code execution vulnerabilities. These releases also include fixes for issues with image reloading and payments using one-step checkout.” class=”glossaryLink “>SUPEE-10266 patch can be downloaded as usual from Downloads page:
https://magento.com/tech-resources/download#download2073 or installed as a regular Magento upgrade via Downloader (it is included in Magento 1.9.3.6 version).

You can install it in the same way as previous patches or by upgrading to Magento 1.9.3.6.

To apply the patch you need SSH access (shell access actually, SSH is just most used way to get shell access) to the server. If you have no SSH access, you can refer to How to apply SUPEE-10266 without SSH.

If you wish to save time and have us to install these patches for you, simply click here to order installation.

Step 0: Preparations

Note: Make sure to Disable Magento Compiler at System > Tools > Compilation and clear compiled cache.

Step 1: Verify your Magento version

$ grep -A6 'static function getVersionInfo' app/Mage.php
    public static function getVersionInfo()
    {
        return array(
            'major'     => '1',
            'minor'     => '9',
            'revision'  => '3',
            'patch'     => '3',

As you can see in the example, it is Magento 1.9.3.3

Step 2: Download corresponding patch

The patch should be downloaded from https://magento.com/tech-resources/download#download2073

Make sure to get the right file corresponding to your Magento version.

Step 3: Place patches into Magento Root directory

Upload your files into Magento root directory. It is important to place patch files directly into Magento root directory and execute it also directly in Magento root directory.

$ ls -1 .
PATCH_SUPEE-10266_CE_1.9.3.4_v1-2017-09-13-06-39-58.sh
app
cron.php
downloader
errors
favicon.ico
index.php
js
lib
mage
media
pkginfo
robots.txt
shell
skin
var

 

Step 4: Run the patches

$ bash ./PATCH_SUPEE-10266_CE_1.9.3.4_v1-2017-09-13-06-39-58.sh
Checking if patch can be applied/reverted successfully...
Patch was applied/reverted successfully.

 

Step 5: Verification and flush of Magento PHP opcode cache

Flush Magento caches: Navigate in Magento backend to System > Cache Management and flush Magento cache and CSS/JS caches.

If you use PHP opcode caches (OPCache/APC/XCache/eAccelerator) make sure to flush it after patching (or restart webserver), otherwise code will continue to run from caches.

Test that your store is working. Test Checkout process.