Sansec logo

Amasty patches 25 Magento extensions, 1 critical

Sansec

by Sansec Forensics Team

Published in Threat Research − July 02, 2026

Amasty issues a massive security release for 25 extensions. One is critical and can lead to remote code execution. Sansec Shield already blocks the critical issues, and emergency mitigation for the medium severity issues is in progress.

Amasty patches 25 Magento extensions, 1 critical

Amasty is one of the largest ecommerce extension vendors, with many thousands of modules installed worldwide. This security release affects almost every Magento & Adobe Commerce store, so you should probably take action today.

Running Sansec Shield? You are protected already!

If not, we strongly recommend to upgrade the critical extensions today, and schedule the remaining extensions for upgrade in the next 4 weeks.

Affected extensions

Critical

  • Advanced Product Reviews. An attacker can upload a web shell with no login and runs code on your store, giving full control. Packages amasty/advanced-review, amasty/advanced-review-graphql. First secure version 1.17.1.

This is worse than the similar Order Attributes flaw that we covered recently, because this one allows arbitrary upload locations, which defeats the standard block on PHP execution under pub/media.

For comparison: the Order Attributes bug has been under attack since the day it was patched. Shield blocked over 12,000 attempts against 25% of all Magento stores in three days. We expect the same here.

Medium

  • Landing Pages. Packages amasty/xlanding, amasty/xlanding-graphql. First secure version 2.0.4.
  • Social Login. Packages amasty/social-login, amasty/social-login-apple-id, amasty/social-login-graphql. First secure version Lite 1.12.13 / Pro 2.1.0.
  • Image Optimizer. Package amasty/module-image-optimizer-visited-pages. First secure version 2.5.0.
  • Follow Up Email. Package amasty/followup. First secure version 1.5.0.
  • Promotions Manager. Package amasty/rgrid. First secure version 1.0.11.
  • GDPR. Package amasty/module-gdpr. First secure version 2.19.0.
  • Reward Points. Packages amasty/rewards, amasty/module-rewards-referral-hyva. First secure version 2.7.0.
  • AJAX Shopping Cart. Package amasty/cart. First secure version 1.12.3.
  • Mega Menu. Package amasty/module-mega-menu-lite. First secure version 1.5.10.
  • Out of Stock Notification. Packages amasty/xnotif, amasty/module-out-of-stock-hyva-compatibility. First secure version 1.20.0.
  • ChatGPT AI Content Generator. Packages amasty/module-ai-content-generator-pro, amasty/module-ai-image-generator. First secure version 6.3.2.
  • Product Attachments. Package amasty/product-attachment-api. First secure version 3.7.0.
  • Request a Quote Pro. Package amasty/module-request-quote-pro-functionality. First secure version 1.9.0.

Low

  • Omnibus Price Tracker. Package amasty/module-price-history. First secure version 1.7.2.
  • Store Credit. Package amasty/store-credit. First secure version 1.5.2.
  • Google Indexing API. Package amasty/module-google-indexing-api. First secure version 1.0.2.
  • Google Rich Snippets. Package amasty/module-google-rich-snippets. First secure version 1.10.1.
  • B2B Company Account. Package amasty/module-company-account. First secure version 2.9.0.
  • RMA. Package amasty/module-rma-subscription-package-premium. First secure version 1.5.3.
  • Payment Restrictions. Package amasty/payrestriction. First secure version 2.5.4.
  • Special Promotions. Packages amasty/module-special-promo, amasty/module-special-promo-pro. First secure version 2.17.4.
  • Shipping Cost Calculator. Package amasty/module-shipping-calculator. First secure version 1.1.2.
  • Banners Lite. Package amasty/module-banners-lite. First secure version 1.2.8.
  • Cookie Consent. Package amasty/gdpr-cookie. First secure version 2.18.0.

Troubleshooting when upgrading

Landing Pages backoffice may crash after updating to 2.0.4

If you notice a crash when editing landing pages in the backoffice after updating Amasty Landing Pages to version 2.0.4, and you have not installed Magento's PageBuilder module (or have it disabled), the following patch on top of Amasty's module appears to resolve the problem. Credits to Pieter Hoste.

diff --git a/view/adminhtml/ui_component/amasty_xlanding_page_edit_form.xml b/view/adminhtml/ui_component/amasty_xlanding_page_edit_form.xml
index b5bbb3b..413d8bd 100644
--- a/view/adminhtml/ui_component/amasty_xlanding_page_edit_form.xml
+++ b/view/adminhtml/ui_component/amasty_xlanding_page_edit_form.xml
@@ -329,7 +329,7 @@
                 <label translate="true">Top Description</label>
             </settings>
             <formElements>
-                <wysiwyg class="Magento\Catalog\Ui\Component\Category\Form\Element\Wysiwyg">
+                <wysiwyg class="Magento\Ui\Component\Form\Element\Wysiwyg">
                     <settings>
                         <rows>8</rows>
                         <wysiwyg>true</wysiwyg>
@@ -359,7 +359,7 @@
                 <label translate="true">Bottom Description</label>
             </settings>
             <formElements>
-                <wysiwyg class="Magento\Catalog\Ui\Component\Category\Form\Element\Wysiwyg">
+                <wysiwyg class="Magento\Ui\Component\Form\Element\Wysiwyg">
                     <settings>
                         <rows>8</rows>
                         <wysiwyg>true</wysiwyg>

The original class Amasty used, Magento\Catalog\Ui\Component\Category\Form\Element\Wysiwyg, tries to load category attributes, which fails because landing pages are their own dedicated entity. The PageBuilder module likely overrides this class in some way, which is why stores with PageBuilder active do not hit the crash.

This is a community workaround, not an official Amasty fix. It may not be the correct solution, and it comes with no warranties.

Sansec Shield protection

Sansec Shield already blocks the critical issues. It inspects incoming requests and rejects dangerous file uploads before they reach disk, whatever your pub/media config. The rule is not tied to a signature, so it also stops the wider class of unauthenticated upload attacks. Emergency mitigation for the medium severity issues is in progress.

Amasty and Sansec partner up

We applaud Amasty with this release. Upgrading this many extensions at once can be painful for merchants, but eventually this will pay off with fewer hacked stores.

We are also proud to announce that as of today, Sansec and Amasty are official partners. Amasty merchants get 20% off the first year of any Sansec product with coupon code AMASTY at checkout.

Recommendations

  1. Update now: Upgrade every affected Amasty extension to the first secure version listed above. Some releases are backward incompatible.
  2. Block attacks: Deploy Sansec Shield to block exploitation of the critical file upload flaws in real time, including on stores that cannot patch immediately.
  3. Scan for compromise: Run eComscan to detect webshells, backdoors and other malware.
  4. Check web directories: Review unexpected files, especially .php, .phtml, .phar, .html and .svg.
  5. Block PHP in media: Ensure pub/media cannot execute PHP as defense in depth.

Timeline

DateEvent
June 12, 2026Amasty releases fixed Order Attributes 4.0.0
June 12, 2026Sansec Shield blocks first live Order Attributes attack
June 29, 2026Amasty publishes private security updates for its extensions
June 30, 2026Sansec adds Shield protection for the critical issues
July 2, 2026Amasty public disclosure
July 3, 2026This advisory published

Read more

Scan your store now
for malware & vulnerabilities

$ curl ecomscan.com | sh

eComscan is the most thorough security scanner for Magento, Adobe Commerce, Shopware, WooCommerce, Sylius and many more.

Stay up to date with the latest eCommerce attacks

Sansec logo

experts in eCommerce security

Terms & Conditions
Privacy & Cookie Policy