Found a security issue in catalog/includes/functions/whos_online.php line 30: $wo_last_page_url = getenv('REQUEST_URI'); Replace with: $wo_last_page_url = htmlspecialchars(getenv('REQUEST_URI')); This XSS Vulnerability affects the adminpanel->Whos online a hacker could easily grab your admin cookie.