Clarify file-based session storage requirements and exploit limitations

Co-authored-by: jheysel-r7 <jheysel-r7@users.noreply.github.com>

Author: Chocapikk

documentation/modules/exploit/multi/http/magento_sessionreaper.md

@@ -5,7 +5,14 @@ allows an unauthenticated user to gain arbitrary code execution through nested d
 upload.
 
 This vulnerability (CVE-2025-54236, also known as SessionReaper) affects Magento 2.x instances using file-based session
-storage. The module was specifically tested against Magento 2.4.4.
+storage. **Note:** File-based session storage is not enabled by default in Magento. The target must be explicitly
+configured to use file-based sessions (typically via `app/etc/env.php` with `'session' => ['save' => 'files']`) for this
+vulnerability to be exploitable. By default, Magento uses database or Redis session storage.
+
+**Exploit limitations:** In production environments, the upload directory (`media/customer_address/`) where the malicious
+session file is uploaded is generally configured as read-only, which prevents successful exploitation. This exploit
+therefore has limited applicability in hardened production environments. The module was specifically tested against
+Magento 2.4.4.
 
 ### Description