Unauthenticated file upload in Amasty Order Attributes for Magento

Amasty Order Attributes, a popular checkout extension for Magento 2 and Adobe Commerce, contains an unauthenticated arbitrary file upload vulnerability. An attacker can upload a file of any type and name to the store's media directory with no login, no session and no cart. Where that directory can execute PHP, this leads to remote code execution (CWE-434).

All versions up to and including 3.16.0 are affected. Amasty released a fix, version 4.0.0, on June 12, 2026. The vulnerability is tracked as CVE-2026-53787 and has a critical CVSS score of 9.3.

Sansec Shield blocks these uploads in real time, so stores running Shield are protected even before they patch.

A quietly patched flaw

Amasty's changelog describes the 4.0.0 release as "we enhanced code to resolve a potential security vulnerability." The same notes flag the change as backward incompatible, because a new mandatory attribute_code parameter was added to the upload endpoint. The fix validates uploads before committing them, enforces an extension allow-list and requires a real file attribute.

Impact for merchants

A successful upload gives an attacker a foothold on the server. The consequences scale with store configuration:

1. Remote code execution: Where pub/media can execute PHP, an uploaded script runs with the web server's privileges: payment skimmers, backdoors, admin account creation and data theft.
2. Malware hosting: Stores that block PHP execution can still be turned into hosts for .phar payloads, phishing kits and other malware served from a trusted domain.
3. Stored XSS and SVG injection: Uploaded HTML or SVG files execute scripts in a visitor's or administrator's browser, leading to session theft and admin takeover.
4. Path traversal: On 3.16.0 the unsanitized filename also lets an attacker write outside the intended amasty_checkout folder. On versions prior to 2.4.2 it escapes the media directory entirely.

The attack needs no credentials, fires on ordinary storefront traffic and is trivial to automate across many stores. Now that a patch exists, the fix points attackers at the vulnerable code, so unpatched stores face rising scanning pressure.

Sansec Shield protection

Sansec Shield inspects incoming requests at your application servers and blocks attempts to upload executable or dangerous file types to these endpoints. The file is rejected before it reaches disk, regardless of how pub/media is configured.

This protection is not tied to a version or signature. Shield evaluates the upload itself, so it stops abuse of this flaw and the wider class of unauthenticated upload attacks against Magento extensions. Stores that cannot patch right away stay protected.

Recommendations

1. Update now: Upgrade Amasty Order Attributes to 4.0.0 or later. The release is backward incompatible: the upload API now requires an attribute_code parameter.
2. Block attacks: Deploy Sansec Shield to block these uploads in real time, including on stores that cannot patch immediately.
3. Scan for compromise: Run eComscan to detect webshells, backdoors and other malware.
4. Check web directories: Review unexpected files, especially .php, .phtml, .phar, .html and .svg.
5. Block PHP in media: Ensure pub/media cannot execute PHP as defense in depth.

Timeline

Read more

• Critical vulnerability in Mirasvit Cache Warmer for Magento
• Adobe patches critical Magento admin takeover via menu injection
• Magento Security Release APSB25-08 [Impact Analysis]
• CosmicSting attack & defense overview
• Persistent backdoors injected on Adobe Commerce via new CosmicSting attack