Skip to content
Especialista LV

Magento Vulnerability Scanner

Probes known paths and security headers of the Magento store looking for leaked sensitive files, backdoors and versions with critical CVEs (CosmicSting, TrojanOrders). Passive, read-only — no exploitation.

100% free, no signup We do not store logs of what you look up Protected by Cloudflare Turnstile

We probe known paths (backups, .git, env.php, phpinfo, webshells), security headers and version — read-only, non-intrusive.

Use only on stores you administer. The scan is passive (GET only, no exploitation).

Stop checking by hand — monitor 24/7

This tool is a snapshot of right now. Especialista Loja Virtual runs real browser checks on your store every few minutes and alerts you on Discord, Slack or email with a screenshot of the problem. Start free.

Create free account See plans

How the Vulnerability scanner

We make passive GET requests to known paths of your store (.sql backups, /.git/config, /app/etc/env.php, /phpinfo.php, common webshell names, /media/index.php), read the homepage security headers and try to identify the Magento version. Each finding is only reported when the response has the matching content marker — so a store that returns 200 for any path (SPA/PWA) does not become a false positive.

The scan is non-intrusive: read-only, exploiting no vulnerability (no XXE, upload or proof of concept). Critical CVEs like CosmicSting (CVE-2024-34102) and TrojanOrders (CVE-2022-24086) are used only as version correlation and as detection of artifacts already present (webshells). Use only on stores you administer.

Frequently asked questions

What does this scanner check?

Exposed sensitive files (database dumps, .git, env.php/local.xml, phpinfo), backdoors/webshells with known names, an executable /media/index.php, directory listing, GraphQL introspection, missing security headers (CSP, HSTS, X-Frame-Options) and a Magento version with a known critical vulnerability.

Is it intrusive? Can I use it on any site?

It is not intrusive — we only make GET requests to public paths, exploiting nothing. Even so, use it only on stores you administer: it is a security self-assessment tool, not for testing third-party sites.

What is CosmicSting?

CosmicSting (CVE-2024-34102) is a critical XXE flaw in Magento/Adobe Commerce that, chained with CVE-2024-2961, leads to remote code execution. Thousands of stores were compromised in 2024 — the attacker steals the env.php crypt key and injects a skimmer. Versions before 2.4.7 are vulnerable; update/apply the patch.

It found a problem. Now what?

Prioritize the critical findings: remove sensitive files from the docroot, rotate the crypt key and passwords, and look for backdoors. If there is a webshell or a very outdated version, treat the store as possibly compromised and also run the Magecart scanner to check for a skimmer.

Official references

Primary sources used in building this tool. Use them to go deeper or to validate the technical criteria.

Related tools

Magecart Scanner

Check whether your Magento store has a card skimmer (Magecart) — including ones injected via Google Tag Manager.

Open

HTTP Headers

View all the HTTP headers your server sends — cache, security, compression, cookies.

Open

Is site online?

Find out in seconds if your online store is down or running slow.

Open