Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-53787

CVE-2026-53787: Amasty Order Attributes RCE Vulnerability

CVE-2026-53787 is a critical remote code execution flaw in Amasty Order Attributes for Magento 2 that enables unauthenticated arbitrary file uploads. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-53787 Overview

CVE-2026-53787 is an unauthenticated arbitrary file upload vulnerability in the Amasty Order Attributes extension for Magento 2 before version 4.0.0. The upload endpoint accepts files of any type or name without authentication, session validation, or cart context. Attackers can write arbitrary files directly to the store's media directory. Successful exploitation leads to remote code execution when the media directory permits PHP execution. The flaw also enables malware hosting, stored cross-site scripting via HTML or SVG uploads, and path traversal to write files outside the intended upload directory. The weakness is tracked as [CWE-434: Unrestricted Upload of File with Dangerous Type].

Critical Impact

Unauthenticated remote attackers can upload PHP webshells and gain full control of Magento 2 storefronts running vulnerable Amasty Order Attributes versions.

Affected Products

  • Amasty Order Attributes for Magento 2 versions prior to 4.0.0
  • Magento 2 storefronts with the vulnerable extension installed
  • E-commerce environments where the pub/media directory permits PHP execution

Discovery Timeline

  • 2026-06-12 - CVE-2026-53787 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-53787

Vulnerability Analysis

The Amasty Order Attributes extension exposes a file upload endpoint intended to support customer-supplied attachments during checkout. The endpoint fails to verify caller identity, session state, or association with a valid shopping cart. Any network-reachable client can submit a POST request containing arbitrary file content. The handler writes the uploaded data into the Magento media directory without enforcing file type, extension, MIME, or filename restrictions.

Attackers achieve remote code execution by uploading a PHP file and requesting it directly from the public media URL. On servers configured to execute PHP within pub/media, the uploaded webshell runs with the privileges of the web server user. The same primitive enables stored cross-site scripting through HTML or SVG payloads served from the same origin as the storefront. Path traversal sequences in the filename parameter allow writing outside the intended directory, potentially overwriting application files.

Root Cause

The root cause is missing input validation and missing access control on the upload controller. The extension trusts client-supplied filenames and content without performing extension allowlisting, MIME inspection, content sniffing, or authentication checks. No CSRF token or session binding is enforced.

Attack Vector

Exploitation requires only network access to the storefront. An attacker sends a crafted multipart HTTP POST to the vulnerable upload endpoint with a .php payload. The server stores the file under a predictable media path. The attacker then issues an HTTP GET to the resulting URL to trigger code execution. See the Sansec Research Report and the VulnCheck Advisory on Amasty for additional technical context.

Detection Methods for CVE-2026-53787

Indicators of Compromise

  • Unexpected .php, .phtml, .htaccess, .svg, or .html files in the Magento pub/media directory or subdirectories used by Amasty Order Attributes
  • POST requests to Amasty Order Attributes upload endpoints from clients without an active checkout session
  • Outbound connections initiated by the PHP-FPM or Apache process to unfamiliar hosts shortly after a media write event
  • New cron entries, modified app/etc/env.php, or unexpected admin user accounts created after suspicious upload activity

Detection Strategies

  • Monitor web server access logs for POST requests to Amasty upload routes returning HTTP 200 with no authenticated session cookie
  • Implement file integrity monitoring on the pub/media tree and alert on creation of executable file extensions
  • Inspect WAF logs for multipart uploads containing <?php, <script>, or path traversal sequences such as ../

Monitoring Recommendations

  • Forward Magento application logs, web server logs, and filesystem audit events to a centralized SIEM for correlation
  • Baseline normal upload volume per source IP and alert on anomalous bursts targeting Amasty endpoints
  • Hunt retrospectively for any media-directory PHP files created since the extension was installed

How to Mitigate CVE-2026-53787

Immediate Actions Required

  • Upgrade Amasty Order Attributes for Magento 2 to version 4.0.0 or later immediately
  • Audit the pub/media directory for unauthorized files and remove any webshells or suspicious uploads
  • Rotate Magento admin credentials, API tokens, and crypt key values if compromise is suspected
  • Review recent orders, admin user creations, and code changes for signs of post-exploitation activity

Patch Information

Amasty addressed the vulnerability in Order Attributes for Magento 2 version 4.0.0. Refer to the Amasty Product Page for the current release and upgrade instructions. Apply the update through Composer or the vendor's standard extension deployment workflow and clear Magento caches after installation.

Workarounds

  • Disable the Amasty Order Attributes module via bin/magento module:disable until patching is feasible
  • Configure the web server to deny PHP execution within pub/media using directory-level handler restrictions
  • Deploy a WAF rule blocking unauthenticated POST requests to the vulnerable upload endpoint
  • Restrict media-directory write permissions and validate uploads through a reverse proxy filter
bash
# Apache: prevent PHP execution in the Magento media directory
<Directory "/var/www/magento/pub/media">
    <FilesMatch "\.(php|phtml|phar|php5|php7)$">
        Require all denied
    </FilesMatch>
    php_flag engine off
    AddType text/plain .php .phtml .phar
</Directory>

# Nginx equivalent
location ~* ^/media/.*\.(php|phtml|phar)$ {
    deny all;
    return 403;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.