Introduction
An unauthenticated file upload endpoint in one of Magento's most popular third party checkout extensions just handed attackers a zero friction path to remote code execution on potentially thousands of e-commerce stores. CVE-2026-53787, disclosed on June 12, 2026, affects Amasty Order Attributes for Magento 2 and carries a CVSS 3.1 score of 9.8, reflecting the fact that exploitation requires no credentials, no session, and no user interaction whatsoever.
Amasty is a major Magento extension vendor that has been operating since 2009, maintaining a portfolio of over 270 modules and positioning itself as the "#1 Magento Solutions Provider." The Order Attributes extension allows merchants to add custom fields to checkout steps, including a "Single File Upload" attribute type that lets customers attach files to orders. Given Amasty's market presence and the extension's popularity, the affected install base is substantial across the Magento ecosystem.
Technical Information
Root Cause: CWE-434 Unrestricted Upload of File with Dangerous Type
The vulnerability resides in the upload endpoint of the Order Attributes extension's "Single File Upload" attribute type. The core flaw is a complete absence of security controls at three distinct layers:
No authentication required. The upload endpoint can be reached without logging in, without a valid session, and without any cart context. An attacker can send a POST request directly to the endpoint via ordinary storefront traffic. This is reflected in the CVSS vector's PR:N (No Privileges Required) and UI:N (No User Interaction) components.
No file type validation. The endpoint accepts files of any type and any name. There is no extension allow list, no content type verification, and no MIME type checking. Executable files such as .php, .phtml, or .phar are accepted without restriction.
No filename sanitization (path traversal). The filename parameter is not sanitized against directory traversal sequences. This introduces a version dependent risk gradient:
| Version Range | Path Traversal Scope |
|---|---|
| Versions prior to 2.4.2 | Full escape from pub/media directory; writes to arbitrary server locations |
| Version 3.16.0 and earlier | Traversal outside the amasty_checkout subfolder within pub/media |
CVSS Scoring
| Metric System | Score | Severity | Vector String |
|---|---|---|---|
| CVSS 3.1 | 9.8 | Critical | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVSS 4.0 | 9.3 | Critical | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
The Network attack vector, Low attack complexity, and No privileges required together mean that any remote attacker can exploit this flaw with minimal effort from anywhere on the internet.
Attack Flow
The primary exploitation scenario, remote code execution via PHP file upload, proceeds as follows:
-
Reconnaissance. The attacker identifies a Magento store running Amasty Order Attributes by probing for the extension's upload endpoint or identifying the extension through storefront markup.
-
File upload. The attacker sends a POST request to the upload endpoint containing a PHP webshell. No authentication token, session cookie, or cart identifier is needed. The file is written to the
pub/media/amasty_checkout/directory (or, via path traversal, to other locations). -
Code execution. The attacker accesses the uploaded file via its URL (e.g.,
https://target.store/media/amasty_checkout/shell.php). On servers where thepub/mediadirectory permits PHP execution, the webshell executes with the web server's privileges. -
Post exploitation. With arbitrary command execution, the attacker can exfiltrate customer data, install payment card skimmers in checkout templates, access the database directly, or establish persistent backdoors.
Alternative Exploitation Outcomes
Remote code execution is the highest impact scenario but requires PHP execution to be enabled in the media directory. Other exploitation paths do not have this prerequisite:
| Attack Type | File Types | Outcome | Prerequisites |
|---|---|---|---|
| Remote Code Execution | .php, .phtml, .phar | Full server compromise | PHP execution enabled in media directory |
| Stored XSS / SVG Injection | .html, .svg | Client side code execution in admin or customer browsers | Victim visits uploaded file URL |
| Malware Hosting | Any file type | Serve malicious payloads, phishing pages, or C2 tools from the store's domain | None |
| Path Traversal Write | Any file type with ../ in name | Write files outside intended directory | Versions prior to 2.4.2 for full escape; 3.16.0 and earlier for partial |
How Version 4.0.0 Addresses the Vulnerability
Amasty released version 4.0.0 on June 12, 2026, implementing three specific security controls:
- Mandatory
attribute_codeparameter: The upload endpoint now requires a validattribute_codeparameter, preventing blind file uploads to arbitrary attribute contexts. - Extension allow list: Only permitted file extensions are accepted; executable types like
.php,.phtml, and.pharare rejected. - Pre commit validation: Files are validated before being written to disk, rather than after, eliminating race conditions or partial writes.
Connection to the PolyShell Campaign
This vulnerability follows a pattern that Magento threat actors have already operationalized at scale. In March 2026, Sansec disclosed PolyShell, an unrestricted file upload flaw in the Magento REST API core that allowed attackers to upload executable files disguised as images using polyglot techniques. Sansec observed PolyShell attacks targeting 79.5% of all Magento stores, with automated mass scanning beginning within two days of disclosure. Attackers deployed accesson.php backdoors and obfuscated two stage JavaScript persistence loaders.
CVE-2026-53787 presents a nearly identical attack surface: unauthenticated file upload to the media directory. The existing automated infrastructure built for PolyShell exploitation can likely be adapted to target this vulnerability with minimal modification.
Affected Systems and Versions
All versions of Amasty Order Attributes for Magento 2 prior to version 4.0.0 are affected. Specifically:
- All versions up to and including 3.16.0: Vulnerable to unauthenticated arbitrary file upload and path traversal outside the
amasty_checkoutsubfolder. - Versions prior to 2.4.2: Additionally vulnerable to full path traversal escape from the
pub/mediadirectory, enabling writes to arbitrary server locations. - Fixed version: 4.0.0, released June 12, 2026.
The vulnerability is exploitable on any Magento 2 store running the affected extension versions. The RCE variant specifically requires that the web server configuration permits PHP execution within the pub/media/ directory or its subdirectories, which is the case in many default or misconfigured Magento deployments.
Vendor Security History
Amasty has at least one prior publicly disclosed vulnerability:
| CVE ID | Product | Type | CVSS | Year | Status |
|---|---|---|---|---|---|
| CVE-2022-36432 | Amasty Blog Pro 2.10.3 | XSS via unsafe eval in Preview | 5.4 (Medium) | 2022 | Fixed in 2.10.5 |
| CVE-2026-53787 | Amasty Order Attributes < 4.0.0 | Unauthenticated arbitrary file upload | 9.8 (Critical) | 2026 | Fixed in 4.0.0 |
The prior CVE-2022-36432 was a medium severity XSS flaw with an EPSS score of 0.27%. CVE-2026-53787 represents a significant escalation in both severity and attack surface. On the positive side, Amasty's same day release of the fix alongside the Sansec disclosure indicates coordinated vulnerability handling. The company also publishes a Magento Security Patches Calendar on its blog, referencing critical vulnerabilities such as SessionReaper (CVE-2025-54236), which suggests ongoing engagement with the broader Magento security landscape.
References
- CVE Record: CVE-2026-53787
- Sansec Research: Unauthenticated file upload in Amasty Order Attributes
- VulnCheck Advisory: Amasty Order Attributes for Magento 2 Unauthenticated Arbitrary File Upload
- Amasty Order Attributes for Magento 2 Product Page
- GitHub Advisory: GHSA-mgg8-gq8g-gq88
- Cyber Defence Vulnerability Database: CVE-2026-53787
- VulDB: Amasty Order Attributes for Magento 2 Upload Vulnerability
- Sansec Research: PolyShell Unrestricted File Upload in Magento
- CWE-434: Unrestricted Upload of File with Dangerous Type
- CVE-2022-36432: Amasty Blog Pro XSS
- Malwarebytes: Magecart Skimming Hits Major Payment Networks (January 2026)
- Sansec Research: SVG Onload Magecart Skimmer on 99 Stores
- CISA Known Exploited Vulnerabilities Catalog



