ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-53787 Unauthenticated File Upload in Amasty Order Attributes for Magento 2

A short review of CVE-2026-53787, a critical unauthenticated arbitrary file upload vulnerability in Amasty Order Attributes for Magento 2 that can lead to remote code execution, stored XSS, and path traversal on affected stores.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-12

Brief Summary: CVE-2026-53787 Unauthenticated File Upload in Amasty Order Attributes for Magento 2
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An unauthenticated file upload endpoint in one of Magento's most popular third party checkout extensions just handed attackers a zero friction path to remote code execution on potentially thousands of e-commerce stores. CVE-2026-53787, disclosed on June 12, 2026, affects Amasty Order Attributes for Magento 2 and carries a CVSS 3.1 score of 9.8, reflecting the fact that exploitation requires no credentials, no session, and no user interaction whatsoever.

Amasty is a major Magento extension vendor that has been operating since 2009, maintaining a portfolio of over 270 modules and positioning itself as the "#1 Magento Solutions Provider." The Order Attributes extension allows merchants to add custom fields to checkout steps, including a "Single File Upload" attribute type that lets customers attach files to orders. Given Amasty's market presence and the extension's popularity, the affected install base is substantial across the Magento ecosystem.

Technical Information

Root Cause: CWE-434 Unrestricted Upload of File with Dangerous Type

The vulnerability resides in the upload endpoint of the Order Attributes extension's "Single File Upload" attribute type. The core flaw is a complete absence of security controls at three distinct layers:

No authentication required. The upload endpoint can be reached without logging in, without a valid session, and without any cart context. An attacker can send a POST request directly to the endpoint via ordinary storefront traffic. This is reflected in the CVSS vector's PR:N (No Privileges Required) and UI:N (No User Interaction) components.

No file type validation. The endpoint accepts files of any type and any name. There is no extension allow list, no content type verification, and no MIME type checking. Executable files such as .php, .phtml, or .phar are accepted without restriction.

No filename sanitization (path traversal). The filename parameter is not sanitized against directory traversal sequences. This introduces a version dependent risk gradient:

Version RangePath Traversal Scope
Versions prior to 2.4.2Full escape from pub/media directory; writes to arbitrary server locations
Version 3.16.0 and earlierTraversal outside the amasty_checkout subfolder within pub/media

CVSS Scoring

Metric SystemScoreSeverityVector String
CVSS 3.19.8CriticalCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 4.09.3CriticalCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

The Network attack vector, Low attack complexity, and No privileges required together mean that any remote attacker can exploit this flaw with minimal effort from anywhere on the internet.

Attack Flow

The primary exploitation scenario, remote code execution via PHP file upload, proceeds as follows:

  1. Reconnaissance. The attacker identifies a Magento store running Amasty Order Attributes by probing for the extension's upload endpoint or identifying the extension through storefront markup.

  2. File upload. The attacker sends a POST request to the upload endpoint containing a PHP webshell. No authentication token, session cookie, or cart identifier is needed. The file is written to the pub/media/amasty_checkout/ directory (or, via path traversal, to other locations).

  3. Code execution. The attacker accesses the uploaded file via its URL (e.g., https://target.store/media/amasty_checkout/shell.php). On servers where the pub/media directory permits PHP execution, the webshell executes with the web server's privileges.

  4. Post exploitation. With arbitrary command execution, the attacker can exfiltrate customer data, install payment card skimmers in checkout templates, access the database directly, or establish persistent backdoors.

Alternative Exploitation Outcomes

Remote code execution is the highest impact scenario but requires PHP execution to be enabled in the media directory. Other exploitation paths do not have this prerequisite:

Attack TypeFile TypesOutcomePrerequisites
Remote Code Execution.php, .phtml, .pharFull server compromisePHP execution enabled in media directory
Stored XSS / SVG Injection.html, .svgClient side code execution in admin or customer browsersVictim visits uploaded file URL
Malware HostingAny file typeServe malicious payloads, phishing pages, or C2 tools from the store's domainNone
Path Traversal WriteAny file type with ../ in nameWrite files outside intended directoryVersions prior to 2.4.2 for full escape; 3.16.0 and earlier for partial

How Version 4.0.0 Addresses the Vulnerability

Amasty released version 4.0.0 on June 12, 2026, implementing three specific security controls:

  1. Mandatory attribute_code parameter: The upload endpoint now requires a valid attribute_code parameter, preventing blind file uploads to arbitrary attribute contexts.
  2. Extension allow list: Only permitted file extensions are accepted; executable types like .php, .phtml, and .phar are rejected.
  3. Pre commit validation: Files are validated before being written to disk, rather than after, eliminating race conditions or partial writes.

Connection to the PolyShell Campaign

This vulnerability follows a pattern that Magento threat actors have already operationalized at scale. In March 2026, Sansec disclosed PolyShell, an unrestricted file upload flaw in the Magento REST API core that allowed attackers to upload executable files disguised as images using polyglot techniques. Sansec observed PolyShell attacks targeting 79.5% of all Magento stores, with automated mass scanning beginning within two days of disclosure. Attackers deployed accesson.php backdoors and obfuscated two stage JavaScript persistence loaders.

CVE-2026-53787 presents a nearly identical attack surface: unauthenticated file upload to the media directory. The existing automated infrastructure built for PolyShell exploitation can likely be adapted to target this vulnerability with minimal modification.

Affected Systems and Versions

All versions of Amasty Order Attributes for Magento 2 prior to version 4.0.0 are affected. Specifically:

  • All versions up to and including 3.16.0: Vulnerable to unauthenticated arbitrary file upload and path traversal outside the amasty_checkout subfolder.
  • Versions prior to 2.4.2: Additionally vulnerable to full path traversal escape from the pub/media directory, enabling writes to arbitrary server locations.
  • Fixed version: 4.0.0, released June 12, 2026.

The vulnerability is exploitable on any Magento 2 store running the affected extension versions. The RCE variant specifically requires that the web server configuration permits PHP execution within the pub/media/ directory or its subdirectories, which is the case in many default or misconfigured Magento deployments.

Vendor Security History

Amasty has at least one prior publicly disclosed vulnerability:

CVE IDProductTypeCVSSYearStatus
CVE-2022-36432Amasty Blog Pro 2.10.3XSS via unsafe eval in Preview5.4 (Medium)2022Fixed in 2.10.5
CVE-2026-53787Amasty Order Attributes < 4.0.0Unauthenticated arbitrary file upload9.8 (Critical)2026Fixed in 4.0.0

The prior CVE-2022-36432 was a medium severity XSS flaw with an EPSS score of 0.27%. CVE-2026-53787 represents a significant escalation in both severity and attack surface. On the positive side, Amasty's same day release of the fix alongside the Sansec disclosure indicates coordinated vulnerability handling. The company also publishes a Magento Security Patches Calendar on its blog, referencing critical vulnerabilities such as SessionReaper (CVE-2025-54236), which suggests ongoing engagement with the broader Magento security landscape.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization