CVE-2026-53787
published 2026-06-12CVE-2026-53787: Amasty Order Attributes for Magento 2 before version 4.0.0 contains an unauthenticated arbitrary file upload vulnerability that allows unauthenticated…
PriorityP276critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.69%
88.3th percentile
Amasty Order Attributes for Magento 2 before version 4.0.0 contains an unauthenticated arbitrary file upload vulnerability that allows unauthenticated attackers to write arbitrary files to the store's media directory by submitting files of any type or name to the upload endpoint without authentication, session validation, or cart context. Attackers can upload PHP files to achieve remote code execution on servers where the media directory permits PHP execution, or alternatively enable malware hosting, stored cross-site scripting via HTML or SVG uploads, and path traversal to write files outside the intended upload directory.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| amasty | order_attributes_for_magento_2 | < 4.0.0 | 4.0.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to the Amasty upload endpoint at /rest/V1/amasty_orderattr/uploadFile, /rest/all/V1/amasty_orderattr/uploadFile, or /rest/default/V1/amasty_orderattr/uploadFile with a JSON body containing 'fileContent' and 'base64_encoded_data' — no authentication headers required by the attacker.
- →Alert on successful (HTTP 200) responses from the upload endpoint that return application/json and echo back the submitted filename — this confirms a file was written to the media directory. ↗
- →Verify exploitation by checking if the uploaded file is accessible under /media/amasty_checkout/<c1>/<c2>/<filename> and returns HTTP 200 with text/plain content — confirms arbitrary write to the media directory. ↗
- →Use Shodan query 'http.component:"Magento"' and Google dork 'inurl:"/rest/V1/amasty_orderattr"' to identify potentially vulnerable Magento 2 instances running Amasty Order Attributes. ↗
- →Flag any PHP files uploaded to the /media/amasty_checkout/ directory tree, as successful PHP upload enables remote code execution on servers where the media directory permits PHP execution. ↗
- →Monitor for path traversal sequences in the 'fileName_with_extension' JSON field of POST requests to the upload endpoint, which can be used to write files outside the intended /media/amasty_checkout/ directory. ↗
- ·The vulnerability affects Amasty Order Attributes for Magento 2 versions strictly before 4.0.0; version 4.0.0 and later are patched. Confirm the installed module version before treating a target as vulnerable. ↗
- ·RCE via PHP upload is only achievable when the server's web configuration permits PHP execution inside the media directory; environments that block script execution there are only exposed to malware hosting and stored XSS vectors. ↗
- ·The Nuclei template uses a randomised filename per run (rand_text_alpha), so detection rules based on static filenames will not match; focus on the endpoint path and JSON payload structure instead. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Magento 2 Amasty Order Attributes < 4.0.0 - Unauthenticated Arbitrary File Upload
nuclei·CVSS 9.8
CVE-2026-53787 [CRITICAL] Magento 2 Amasty Order Attributes < 4.0.0 - Unauthenticated Arbitrary File Upload
Magento 2 Amasty Order Attributes < 4.0.0 - Unauthenticated Arbitrary File Upload
Amasty Order Attributes for Magento 2 < 4.0.0 contains an unrestricted file upload vulnerability caused by lack of authentication and validation in the upload endpoint, letting unauthenticated attackers upload arbitrary files including PHP, enabling remote code execution or malware hosting.
Template:
id: CVE-2026-53787
info:
name: Magento 2 Amasty Order Attributes < 4.0.0 - Unauthenticated Arbitrary File Upload
author: 0x_Akoko
severity: critical
description: |
Amasty Order Attributes for Magento 2 < 4.0.0 contains an unrestricted file upload vulnerability caused by lack of authentication and validation in the upload endpoint, letting unauthenticated attackers upload arbitrary files including PHP, enablin
No writeups or analysis indexed.
2026-06-12
Published