Amasty patches 25 Magento extensions, 1 critical
by Sansec Forensics Team
Published in Threat Research − July 02, 2026
Amasty issues a massive security release for 25 extensions. One is critical and can lead to remote code execution. Sansec Shield already blocks the critical issues, and emergency mitigation for the medium severity issues is in progress.

Amasty is one of the largest ecommerce extension vendors, with many thousands of modules installed worldwide. This security release affects almost every Magento & Adobe Commerce store, so you should probably take action today.
Running Sansec Shield? You are protected already!
If not, we strongly recommend to upgrade the critical extensions today, and schedule the remaining extensions for upgrade in the next 4 weeks.
Affected extensions
Critical
- Advanced Product Reviews. An attacker can upload a web shell with no login and runs code on your store, giving full control. Packages
amasty/advanced-review,amasty/advanced-review-graphql. First secure version 1.17.1.
This is worse than the similar Order Attributes flaw that we covered recently, because this one allows arbitrary upload locations, which defeats the standard block on PHP execution under pub/media.
For comparison: the Order Attributes bug has been under attack since the day it was patched. Shield blocked over 12,000 attempts against 25% of all Magento stores in three days. We expect the same here.
Medium
- Landing Pages. Packages
amasty/xlanding,amasty/xlanding-graphql. First secure version 2.0.4. - Social Login. Packages
amasty/social-login,amasty/social-login-apple-id,amasty/social-login-graphql. First secure version Lite 1.12.13 / Pro 2.1.0. - Image Optimizer. Package
amasty/module-image-optimizer-visited-pages. First secure version 2.5.0. - Follow Up Email. Package
amasty/followup. First secure version 1.5.0. - Promotions Manager. Package
amasty/rgrid. First secure version 1.0.11. - GDPR. Package
amasty/module-gdpr. First secure version 2.19.0. - Reward Points. Packages
amasty/rewards,amasty/module-rewards-referral-hyva. First secure version 2.7.0. - AJAX Shopping Cart. Package
amasty/cart. First secure version 1.12.3. - Mega Menu. Package
amasty/module-mega-menu-lite. First secure version 1.5.10. - Out of Stock Notification. Packages
amasty/xnotif,amasty/module-out-of-stock-hyva-compatibility. First secure version 1.20.0. - ChatGPT AI Content Generator. Packages
amasty/module-ai-content-generator-pro,amasty/module-ai-image-generator. First secure version 6.3.2. - Product Attachments. Package
amasty/product-attachment-api. First secure version 3.7.0. - Request a Quote Pro. Package
amasty/module-request-quote-pro-functionality. First secure version 1.9.0.
Low
- Omnibus Price Tracker. Package
amasty/module-price-history. First secure version 1.7.2. - Store Credit. Package
amasty/store-credit. First secure version 1.5.2. - Google Indexing API. Package
amasty/module-google-indexing-api. First secure version 1.0.2. - Google Rich Snippets. Package
amasty/module-google-rich-snippets. First secure version 1.10.1. - B2B Company Account. Package
amasty/module-company-account. First secure version 2.9.0. - RMA. Package
amasty/module-rma-subscription-package-premium. First secure version 1.5.3. - Payment Restrictions. Package
amasty/payrestriction. First secure version 2.5.4. - Special Promotions. Packages
amasty/module-special-promo,amasty/module-special-promo-pro. First secure version 2.17.4. - Shipping Cost Calculator. Package
amasty/module-shipping-calculator. First secure version 1.1.2. - Banners Lite. Package
amasty/module-banners-lite. First secure version 1.2.8. - Cookie Consent. Package
amasty/gdpr-cookie. First secure version 2.18.0.
Troubleshooting when upgrading
Landing Pages backoffice may crash after updating to 2.0.4
If you notice a crash when editing landing pages in the backoffice after updating Amasty Landing Pages to version 2.0.4, and you have not installed Magento's PageBuilder module (or have it disabled), the following patch on top of Amasty's module appears to resolve the problem. Credits to Pieter Hoste.
diff --git a/view/adminhtml/ui_component/amasty_xlanding_page_edit_form.xml b/view/adminhtml/ui_component/amasty_xlanding_page_edit_form.xml
index b5bbb3b..413d8bd 100644
--- a/view/adminhtml/ui_component/amasty_xlanding_page_edit_form.xml
+++ b/view/adminhtml/ui_component/amasty_xlanding_page_edit_form.xml
@@ -329,7 +329,7 @@
<label translate="true">Top Description</label>
</settings>
<formElements>
- <wysiwyg class="Magento\Catalog\Ui\Component\Category\Form\Element\Wysiwyg">
+ <wysiwyg class="Magento\Ui\Component\Form\Element\Wysiwyg">
<settings>
<rows>8</rows>
<wysiwyg>true</wysiwyg>
@@ -359,7 +359,7 @@
<label translate="true">Bottom Description</label>
</settings>
<formElements>
- <wysiwyg class="Magento\Catalog\Ui\Component\Category\Form\Element\Wysiwyg">
+ <wysiwyg class="Magento\Ui\Component\Form\Element\Wysiwyg">
<settings>
<rows>8</rows>
<wysiwyg>true</wysiwyg>
The original class Amasty used, Magento\Catalog\Ui\Component\Category\Form\Element\Wysiwyg, tries to load category attributes, which fails because landing pages are their own dedicated entity. The PageBuilder module likely overrides this class in some way, which is why stores with PageBuilder active do not hit the crash.
This is a community workaround, not an official Amasty fix. It may not be the correct solution, and it comes with no warranties.
Sansec Shield protection
Sansec Shield already blocks the critical issues. It inspects incoming requests and rejects dangerous file uploads before they reach disk, whatever your pub/media config. The rule is not tied to a signature, so it also stops the wider class of unauthenticated upload attacks. Emergency mitigation for the medium severity issues is in progress.
Amasty and Sansec partner up
We applaud Amasty with this release. Upgrading this many extensions at once can be painful for merchants, but eventually this will pay off with fewer hacked stores.
We are also proud to announce that as of today, Sansec and Amasty are official partners. Amasty merchants get 20% off the first year of any Sansec product with coupon code AMASTY at checkout.
Recommendations
- Update now: Upgrade every affected Amasty extension to the first secure version listed above. Some releases are backward incompatible.
- Block attacks: Deploy Sansec Shield to block exploitation of the critical file upload flaws in real time, including on stores that cannot patch immediately.
- Scan for compromise: Run eComscan to detect webshells, backdoors and other malware.
- Check web directories: Review unexpected files, especially
.php,.phtml,.phar,.htmland.svg. - Block PHP in media: Ensure
pub/mediacannot execute PHP as defense in depth.
Timeline
| Date | Event |
|---|---|
| June 12, 2026 | Amasty releases fixed Order Attributes 4.0.0 |
| June 12, 2026 | Sansec Shield blocks first live Order Attributes attack |
| June 29, 2026 | Amasty publishes private security updates for its extensions |
| June 30, 2026 | Sansec adds Shield protection for the critical issues |
| July 2, 2026 | Amasty public disclosure |
| July 3, 2026 | This advisory published |
Read more
In this article
Protect your store now!
Block all known Magento attacks, while you schedule the latest critical patch until a convenient moment. No more downtime and instability from rushed patching.
Get Sansec ShieldScan your store now
for malware & vulnerabilities
eComscan is the most thorough security scanner for Magento, Adobe Commerce, Shopware, WooCommerce, Sylius and many more.
Learn more