Security Advisory - Published 2026-06-13 - Magento / Amasty
Magento Amasty Order Attributes CVE-2026-53787: upload and media directory check
Stores using Amasty Order Attributes for Magento 2 before 4.0.0 should patch quickly. The risk is strongest when the upload path is reachable without authentication and the media directory can execute server-side files.
10-minute self-check
bin/magento module:status | grep -i Amasty
composer show | grep -i amasty
find pub/media var pub/static -type f -mtime -7 | egrep -i "\\.(php|phtml|phar|shtml|html|svg)$" | head -100
find app/code vendor -maxdepth 5 -iname "*Order*Attribute*" -o -iname "*Amasty*" Confirm the installed extension version from Composer or the Magento admin panel. Do not assume a disabled module is safe until the vulnerable upload route and old files are removed from the deployed code.
Signs that need deeper review
- New executable-looking files under
pub/mediaor other upload directories. - Unexpected HTML, SVG, or script files uploaded around checkout activity.
- Web-server rules that allow PHP execution inside media or upload paths.
- New admin users, integration tokens, cron changes, or payment-template edits after the exposure window.
Safe fix path
- Upgrade Amasty Order Attributes to 4.0.0 or newer.
- Block script execution from media/upload directories at NGINX, Apache, or hosting-panel level.
- Keep suspicious files and access logs before deleting evidence.
- Rotate Magento admin credentials and integration tokens if unauthorized files are found.
Ping7 repair path
Ping7 can review Magento extension versions, uploaded files, web-server execution rules, and post-patch compromise indicators. Use CVE Repair if the store accepted orders while the vulnerable extension was installed.