Magento 1.9.2.2 patched by SUPEE 7405 - XSS attack still possible

Question

I installed the security patch SUPEE 7405 by shell. The output said that the patch was successfully installed:

Checking if patch can be applied/reverted successfully...
Patch was applied/reverted successfully.

The command grep '|' app/etc/applied.patches.list shows me that the patch is installed: 2016-01-26 12:42:44 UTC | SUPEE-7405-CE-1-9-2-2 | CE_1.9.2.2 | v1 |

I also checked some PHP files that had to be patched and they were.

The cache were cleared after installing.

The problem is that the XSS attack is still possible.

magereport.com said that the patch is not installed.

Any ideas?

Answer 1

This answer contains a list of patched files: https://magento.stackexchange.com/a/98232/243 (you can also look it up in applied.patches.list.

Please check if you override any of them in your custom theme or in code/local. Then you need to patch these files manually.

Also check for class rewrites that might override the patched methods (see: How do I get a list of all class rewrites?)

As a suggestion, check this post about the beta status of magereport, it explains how the check is done and may help you find the problem: http://support.hypernode.com/knowledgebase/security-checks-in-beta/