Upgrade Details

Adobe Commerce 2.4.7-p4—for merchants

Here's what you need to know for a successful upgrade.

Adobe provides quarterly security patch releases according to their ongoing schedule. On February 11, 2025, they released patch updates for several versions:

In this article, we will break down the changes involved and present the pathway for testing these updates.

As of this writing, Adobe Commerce 2.4.4 - 2.4.7 is actively supported by Adobe. To ensure these versions are properly secured, Adobe is offering a paid Extended Support plan for 2.4.4 and 2.4.5.

If you need help upgrading, we would appreciate the opportunity to present our plan. Please reach out to us to get this set.

Loading...

When should I install it?

As soon as possible. PCI Compliance Rule 6.2 states that critical security patches must be installed within one month of release. 2.4.7-p4 qualifies as such a patch.

Adobe recommends installing this update within 72 hours of release due to the known nature of these exploits (see the security bulletin and explanatory notes).

What changes are included in 2.4.7-p4?

  • Removed the hidden capability to delete customer file attributes
  • Downloadable order item rendering, better security
  • File upload field, better security
  • Save CMS page design
  • New exception types for emails (UnexpectedTemplateIdValueException and UnexpectedTemplateFieldNameValueException)
  • Handling the default shipping/billing address throws an error when saving if not all data is included.
  • Easier to switch encryption keys by calling out specific columns
  • New command to list re-encryptors: bin/magento encryption:data:list-re-encryptors
  • Re-encrypts with current encryption key: bin/magento encryption:data:re-encrypt
  • Better security for downloading file exports
  • Better security for logging
  • Fixing permissions and better security for creating orders (admin)
  • Locking quote addresses when saving to prevent table locks
  • Locking coupon usage when saving
  • Recaptcha wishlist was moved to a new module
  • Better API request validation in the Asynchronous API

How should we test this?

  • Review the text editors. The funny thing is all native text editors that I’m aware of are Page Builder enabled. The only way to use TinyMCE is to have disabled Page Builder. And if you’ve done that, we need to talk, because you should be using Page Builder. However, custom code or third-party modules are where you’ll find these the archaic text editor. You will want to double-check their additions to products, categories, custom pages, and store configuration.
  • Save a product. The weight field is now being validated.
  • Update a customer from both the backend and as impersonating a test customer.
  • Update a coupon code that’s well-used in your system.
  • Of course, place an order and make sure it flows as expected into your ERP.
  • If you haven’t rotated your encryption keys, do it ASAP. It’s likely you’ve been already targeted with CosmicSting.

Let's knock this out.

No one likes getting patches applied, but our warm hospitality makes it as painless as possible. Would you like us to apply your patch for you?

Lightning Image (Expect a fast response)