The Mirasvit Full Page Cache Warmer is not a widely known software product. Before CVE-2026-45247 and the CISA KEV addition this week, most security practitioners had no reason to have an opinion about it. It is a caching optimisation extension for Magento — a performance tool, not a security product. It does not handle payment data or authentication. It warms the page cache.
And yet a vulnerability in this peripheral optimisation extension produces unauthenticated remote code execution on the server. CVSS 9.8. On the same server that processes payment card data. In active exploitation.
This is the third-party plugin problem in its clearest form: the attack surface of a platform is not bounded by the security posture of the core platform. It is the union of all attack surfaces across every installed component.
The Unboundedness of Modern Platform Security
Adobe — which maintains Magento — has a structured security programme. Magento core receives regular security patches. Adobe maintains a responsible disclosure process, pays bug bounties, and issues security advisories. The core platform’s security posture is meaningfully better than it was five years ago.
The extension ecosystem is a different entity entirely. Mirasvit is a legitimate, well-regarded Magento extension vendor. They issue patches. They have a customer support channel. But they are not Adobe. Their internal security development practices, their code review processes, and their vulnerability response timeline are not subject to Adobe’s security programme. The extension ships with the same PHP deserialization pattern that has produced multiple critical CVEs in the Magento ecosystem — not because Mirasvit is negligent, but because deserialization is a pervasive pattern in PHP/Magento development that the ecosystem has not retired.
Every Platform Has This Problem
Magento is a visible example because eCommerce platforms are high-value targets and the Magento extension ecosystem is large and heterogeneous. But the dynamic is not Magento-specific.
WordPress: approximately 60,000 plugins in the official repository, each with its own security posture. Critical vulnerabilities in popular WordPress plugins — Elementor, WooCommerce extensions, caching plugins — appear regularly. Many are exploited in mass campaigns within days of public disclosure.
ServiceNow: A significant third-party application ecosystem on the Now Platform. Custom applications developed by customers and partners extend the platform’s capabilities — and its attack surface. The June 2 ServiceNow API breach originated in platform code, not a third-party application, but the principle extends: the security of a ServiceNow instance is determined by both the core platform and every custom application and integration deployed on it.
GitHub Actions / CI/CD pipelines: Third-party Actions in the GitHub Actions marketplace can be compromised to inject malicious code into CI/CD pipelines. The March 2025 tj-actions/changed-files supply chain attack demonstrated this at scale.
Microsoft 365 / Azure: Third-party applications granted OAuth permissions to M365 tenants extend the attack surface. A malicious or compromised M365 application with Mail.Read and Files.Read permissions is a data exfiltration vector that bypasses most enterprise email security controls.
The pattern is universal: every platform that supports third-party extensions, plugins, applications, or integrations has an attack surface that its core security programme does not fully govern.
The Governance Question
The security industry has been discussing third-party software risk for years. The discussion has not produced a solution, partly because there is no clean solution. Software developers want extensible platforms. Vendors want ecosystems. Customers want the capabilities that extensions provide. The economic incentives that produce plugin ecosystems are stronger than the governance incentives that would impose security standards on them.
What exists instead is a set of partial mitigations: software composition analysis tools that track known vulnerabilities in installed components, vendor security vetting programmes that are voluntary and uneven, and enterprise risk programmes that try to apply third-party security assessment to the highest-risk additions to the software stack.
These mitigations are useful but they do not solve the fundamental problem: the rate of new extension vulnerabilities consistently exceeds the enterprise’s capacity to track and remediate them.
CVE-2026-45247 will be patched by Mirasvit customers who learn about it and act on it. The next extension CVE — in Magento, in WordPress, in ServiceNow, in whatever platform your organisation uses — will be a different extension that the same tracking and remediation process may not cover in time.
This is not cause for despair. It is cause for honesty about what third-party extension security means in practice: not a checklist to complete, but a continuous, unbounded risk management task that does not have a finish line.
Share this article