A cross-site request forgery (CSRF) vulnerability continues to be present in Magmi plugin for Magento online stores. Hackers can use the flaw to execute arbitrary code on servers running Magmi (Magento Mass Importer) by tricking authenticated administrators into clicking a malicious link. A new version of the plugin emerged on August 30 with a fix just for the authentication bypass vulnerability. Magmi is compatible with Magento 1.x that is no longer under active support, the plugin’s download count over the past six months indicates hundreds of installations.
Source: https://www.bleepingcomputer.com/news/security/magento-plugin-magmi-vulnerable-to-hijacking-admin-sessions/