On March 26th, 2019 Magento released updates for versions 1 and 2, both Open Source and Commerce. Magento included considerations for version upgrades or a bare minimum security patch across their offerings. By extending these upgrades and patches to their user base, Magento is signaling the importance of this recent upgrade set. There are confirmed critical security issues corrected in this new release. The primary concern seems to center around SQL injection vulnerabilities.
Magento is very direct in their recommendations on how to proceed: "We strongly suggest that you install these full patches as soon as you can."
You can review the Magento documentation here: Magento 1 Supee-11086 Patch Magento 2.3.1-2.2.8-and-2.1.17 Security Update To a hacker, these vulnerabilities are now documented and actionable for anyone not upgraded or patched. No one wants to pay for security patch implementation, but it becomes a wise investment when weighing the damage a simple credit card skimmer script could do to your business. Such an attack on your site could require a forensic audit by authorities or credit card processors. The one cost that could not be calculated though is the loss of credibility to your customer base. Before shipping delivery dates or newsletter subscription, your customers expect a secure shopping experience. Without ensuring safe transactions, any marketing budget could be washed away by the word of mouth from 1 stolen identity. The Magento community has confirmed the risk in all sites without the upgrades and patches released on March 26th. Magento has proactively provided the means of securing any version or license level. It is now on us as eCommerce professionals to make certain that our customers don't have to worry about fraudulent charges on their card being linked to a Magento site. Especially, not your Magento site. Not sure if you are missing the patch or not quite sure if your site is up to date? Contact us, we are ready to help!