Today an exploit came out, allowing to upload a prepared jpg (actuallly it is a mvg), and as soon as php imagemagick or any other library using imagemagick (and there are lots of them) tries to access / recompress the uploaded picture, the shellcode inside gets directly executed.
Dependending on system architecture, the exploit could now send the real ip to an external server, open a remote shell allowing attackers to open a shell session to the server, compromissing wallets, stealing coins, or build up a trap (the government) which collects lots of datas, etc.
Not sure if all market places will be complete sandboxed and isolated, so only allowing the webserver port and one port for accessing the blockchain in and outside. Then de-anonymization of market place would not that easyy, but stealling coins and compromissing the system is still possible.
So my advise if to check now if you are vulnerable, and if so fix this asap- Check your logs for strange picture uploads, etc.
Since its so trivial (google "image magick exploit" first result) here the link (by hoping admins will fix this issue very very fast!)
http://www.theregister.co.uk/2016/05/04/imagemagick_exploits_in_the_wild/ (CW)
Workaround for hosts (via https://blog.sucuri.net/2016/05/imagemagick-remote-command-execution-vulnerability.html ):
Another important point from the ImageMagick devs via https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588 :
More info and mitigations at https://imagetragick.com/