

























Amasty Order Attributes, a popular checkout extension for Magento 2 and Adobe Commerce, contains an unauthenticated arbitrary file upload vulnerability. An attacker can upload a file of any type and name to the store's media directory with no login, no session and no cart. Where that directory can execute PHP, this leads to remote code execution (CWE-434).
All versions up to and including 3.16.0 are affected. Amasty released a fix, version 4.0.0, on June 12, 2026. The vulnerability is tracked as CVE-2026-53787 and has a critical CVSS score of 9.3.
Sansec Shield blocks these uploads in real time, so stores running Shield are protected even before they patch.
Amasty's changelog describes the 4.0.0 release as "we enhanced code to resolve a potential security vulnerability." The same notes flag the change as backward incompatible, because a new mandatory attribute_code parameter was added to the upload endpoint. The fix validates uploads before committing them, enforces an extension allow-list and requires a real file attribute.
A successful upload gives an attacker a foothold on the server. The consequences scale with store configuration:
pub/media can execute PHP, an uploaded script runs with the web server's privileges: payment skimmers, backdoors, admin account creation and data theft..phar payloads, phishing kits and other malware served from a trusted domain.amasty_checkout folder. On versions prior to 2.4.2 it escapes the media directory entirely.The attack needs no credentials, fires on ordinary storefront traffic and is trivial to automate across many stores. Now that a patch exists, the fix points attackers at the vulnerable code, so unpatched stores face rising scanning pressure.
Sansec Shield inspects incoming requests at your application servers and blocks attempts to upload executable or dangerous file types to these endpoints. The file is rejected before it reaches disk, regardless of how pub/media is configured.
This protection is not tied to a version or signature. Shield evaluates the upload itself, so it stops abuse of this flaw and the wider class of unauthenticated upload attacks against Magento extensions. Stores that cannot patch right away stay protected.
attribute_code parameter..php, .phtml, .phar, .html and .svg.pub/media cannot execute PHP as defense in depth.| Date | Event |
|---|---|
| June 12, 2026 | Amasty releases fixed version 4.0.0 |
| June 12, 2026 | Sansec Shield rules deployed |
| June 12, 2026 | This advisory published |
| June 12, 2026 | CVE-2026-53787 published |
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。