The vulnerability in the Amasty Order Attributes for Magento 2 module allows unauthenticated attackers to upload files of any type or name to the store’s media directory without requiring authentication, session validation, or cart context. This flaw is a classic arbitrary file upload (CWE-434). If the uploaded file is a PHP script and the media directory permits execution, an attacker can achieve remote code execution. Even if the server does not execute PHP in that directory, the vulnerability can still be abused to host malware, embed stored cross‑site scripting payloads via HTML or SVG files, or perform path traversal to write files outside the intended upload path, potentially impacting other parts of the application or filesystem.

The affected product is Amasty:Order Attributes for Magento 2, specifically all releases prior to version 4.0.0. Organizations running any earlier version of this module that have it installed on a Magento 2 site are vulnerable.

The CVSS score of 9.3 reflects the high severity of this issue. The EPSS score is not available, but the lack of authentication and session checks strongly indicate a high likelihood of exploitation in real-world scenarios. The vulnerability is not listed in the CISA KEV catalog. Attackers typically exploit it by sending crafted HTTP requests to the upload endpoint; no special privileges or additional software are required. If the media directory allows PHP execution, the attack vector leads straight to remote code execution, whereas otherwise the attacker can still achieve disruptive outcomes such as malware hosting or stored XSS.