New SUPEE-9767patch can be downloaded as usual from Downloads page: or installed as a regular Magento upgrade via Downloader (it is included in Magento version).

You can install it in the same way as previous patches or by upgrading to Magento

To apply the patch you need SSH access (shell access actually, SSH is just most used way to get shell access) to the server. If you have no SSH access, you can refer to How to apply SUPEE-9767 without SSH.

If you wish to save time and have us to install these patches for you, simply click here to order installation.

Step 0: Preparations

Note: Make sure to  Disable Magento Compiler at System > Configuration > Tools > Magento Compiler and clear compiled cache.

Step 1: Verify your Magento version

$ grep -A6 'static function getVersionInfo' app/Mage.php
    public static function getVersionInfo()
        return array(
            'major'     => '1',
            'minor'     => '9',
            'revision'  => '3',
            'patch'     => '1',

As you can see in the example, it is Magento

Step 2: Download corresponding patch

The patch should be downloaded from

Make sure to get the right file corresponding to your Magento version.

Step 3: Disable Symlinks setting

In Magento backend navigate to System > Configuration > Advanced > Developer > Template Settings > Enable Symlinks and set it to No, if it is not set already:

Step 4: Place patches into Magento Root directory

Upload your files into Magento root directory. It is important to place patch files directly into Magento root directory and execute it also directly in Magento root directory.

$ ls -1 .


Step 5: Run the patches

$ bash ./
Checking if patch can be applied/reverted successfully...
Patch was applied/reverted successfully.


Step 6 (optional): Enable Form Key Validation On Checkout

To take all advantages of SUPEE-9767 released on May 31, 2017 address several security issues, including Remote code execution through symlinks, Remote Code Execution in DataFlow, Remote Code Execution in the Admin panel, SQL injection in Visual Merchandiser and several XSS and CSRF issues.” class=”glossaryLink “>SUPEE-9767 patch it is recommended to enable form key verification for checkout at System > Configuration > Advanced > Admin > Security > Enable Form Key Validation On Checkout.

Note: Make sure that corresponding checkout template phtml files in your custom theme have form key fields included.

These fields were added in this patch into default themes, so if you use default theme (base / rwd) or your theme does not override checkout pages, then you can enable Form Key Validation On Checkout right away. Otherwise, the following template files in your custom theme should be checked:


These files should include formkey line and you can add it just like in default template files:

--- app/design/frontend/base/default/template/checkout/onepage/payment.phtml
+++ app/design/frontend/base/default/template/checkout/onepage/payment.phtml
@@ -35,6 +35,7 @@
 <form action="" id="co-payment-form">
         <?php echo $this->getChildHtml('methods') ?>
+        <?php echo $this->getBlockHtml('formkey') ?>
 <div class="tool-tip" id="payment-tool-tip" style="display:none;">


Step 7: Verification and flush of Magento PHP opcode cache

Flush Magento caches: Navigate in Magento backend to System > Cache Management and flush Magento cache and CSS/JS caches.

If you use PHP opcode caches (OPCache/APC/XCache/eAccelerator) make sure to flush it after patching (or restart webserver), otherwise code will continue to run from caches.

Test that your store is working. Test Checkout process.