The MODX team has been notified of two vulnerabilities for MODX Revolution that allow users to bypass security and delete or damage websites. Attackers could exploit this to remotely execute arbitrary code on your website or web server.
It also come to the attention of the team that as of yesterday July 18, 2018 someone has published a working proof of concept of the security exploit, meaning that any website, not up to date could be attacked.
It is absolutely critical that your site be updated to 2.6.5
All MODX Revolution releases from and including 2.0-2.6.4 are affected. Anything older than 2.5.1 are especially vulnerable.
We have already scheduled upgrades for any customer with an existing maintenance agreement. So if you have a maintenance agreement with us you are good no need to worry!
If you do not have a maintenance agreement with us not a problem. We offer updates to those who are not under a maintenance agreement for $180. Our updating involves a full backup of the database and files and thorough checking to make sure the upgrades were installed properly. If major issues do occur during the upgrade, we can roll back to how it was before we started or fully work through the issues after discussing costs and options with you.
To schedule the upgrade, please contact us at firstname.lastname@example.org and the team will get you started! For those who may want to attempt it yourself, details on how to do the upgrade can be found in the MODX documentation.
The most effective way to ensure the safety of your MODX site and it's data is to always be running the latest version of the MODX software. MODX continues to grow in popularity and profile which only makes it a more prominent target for attack.
MODX will typically release security patch releases within days of a report of a critical vulnerability. Once they release a patch, you should make sure it gets applied to your MODX website. Recovery from site compromise is often very time consuming and can be catastrophic or very expensive.
Your current version can be found once logged into the manager along the top, in the right-hand or left-hand corner. Please reference our blog post on How to find out what version of MODX you have for more help.