Security Advisory - Published 2026-06-13 - Magento / Amasty

Magento Amasty Order Attributes CVE-2026-53787: upload and media directory check

Stores using Amasty Order Attributes for Magento 2 before 4.0.0 should patch quickly. The risk is strongest when the upload path is reachable without authentication and the media directory can execute server-side files.

Defensive scope: this page covers version checks, upload directory review, web-server configuration, and cleanup signals. It does not include upload payloads or testing against stores you do not own.

10-minute self-check

bin/magento module:status | grep -i Amasty
composer show | grep -i amasty
find pub/media var pub/static -type f -mtime -7 | egrep -i "\\.(php|phtml|phar|shtml|html|svg)$" | head -100
find app/code vendor -maxdepth 5 -iname "*Order*Attribute*" -o -iname "*Amasty*"

Confirm the installed extension version from Composer or the Magento admin panel. Do not assume a disabled module is safe until the vulnerable upload route and old files are removed from the deployed code.

Signs that need deeper review

  • New executable-looking files under pub/media or other upload directories.
  • Unexpected HTML, SVG, or script files uploaded around checkout activity.
  • Web-server rules that allow PHP execution inside media or upload paths.
  • New admin users, integration tokens, cron changes, or payment-template edits after the exposure window.

Safe fix path

  1. Upgrade Amasty Order Attributes to 4.0.0 or newer.
  2. Block script execution from media/upload directories at NGINX, Apache, or hosting-panel level.
  3. Keep suspicious files and access logs before deleting evidence.
  4. Rotate Magento admin credentials and integration tokens if unauthorized files are found.

Ping7 repair path

Ping7 can review Magento extension versions, uploaded files, web-server execution rules, and post-patch compromise indicators. Use CVE Repair if the store accepted orders while the vulnerable extension was installed.

References