Sansec Shield has blocked over 12,000 attacks on the Amasty Order Attributes plugin for Magento. Exploitation started within hours of the patch and is still going.
The flaw (CVE-2026-53787, CVSS 9.3) lets anyone upload a webshell to your store with no login. About 25% of all stores have been probed by threat actors so far.
Running Amasty? Upgrade to 4.0.0 now.
Amasty Order Attributes contains an unauthenticated arbitrary file upload vulnerability. An attacker can upload a file of any type and name to the store’s media directory with no login, no session and no cart. Where that directory can execute PHP, this leads to remote code execution (CWE-434).
All versions up to and including 3.16.0 are affected. Amasty released a fix, version 4.0.0, on June 12, 2026. The vulnerability is tracked as CVE-2026-53787 and has a critical CVSS score of 9.3.
Sansec Shield blocks these uploads in real time, so stores running Shield have been protected.
An unauthenticated arbitrary file upload flaw in Amasty Order Attributes (CVE-2026-53787) lets attackers write executable files to a Magento store without logging in, opening the door to remote code execution. Amasty fixed it in version 4.0.0. Sansec Shield has already blocked over 12,000 attacks against more than 100 stores.
Hire me for the upgrade :
ref: https://sansec.io/research/amasty-order-attributes-file-upload