A critical arbitrary file upload vulnerability in Amasty Order Attributes for Magento 2 allows unauthenticated attackers to achieve remote code execution and compromise the store environment.

This is an unauthenticated arbitrary file upload vulnerability located in the upload endpoint. Attackers can bypass authentication and session validation to write malicious files, including PHP scripts, directly to the server's media directory.

With a CVSS score of 9.8, this vulnerability poses a severe threat to business operations. Successful exploitation allows for full remote code execution, enabling attackers to steal customer data, inject malicious scripts (stored XSS), or host malware, leading to significant reputational damage and potential loss of PCI-DSS compliance.

Immediate Action: Update the Amasty Order Attributes extension to version 4.0.0 or later immediately to close the upload endpoint vulnerability.

Proactive Monitoring: Review web server access logs for suspicious file upload requests to the media directory and monitor for unauthorized PHP execution patterns.

Compensating Controls: Implement a Web Application Firewall (WAF) to block requests containing suspicious file extensions or unauthorized multipart/form-data POST requests to the affected endpoint.

Public Exploit Available: True

The severity of this flaw, combined with the availability of public exploits, necessitates immediate patching. Organizations running affected versions of Amasty Order Attributes must prioritize upgrading to version 4.0.0 to prevent total compromise of the e-commerce environment.