Shopware Security Plugin Exposes Systems to SQL Injection Attacks

A plugin designed to patch security vulnerabilities in older versions of Shopware has itself been found vulnerable to SQL injection attacks.

The flaw, discovered in Shopware Security Plugin 6 version 2.0.10, affects Shopware installations below versions 6.5.8.13 and 6.6.5.1, potentially allowing attackers to compromise database systems with read and write permissions.

The vulnerability arises from an incomplete fix for previously known SQL injection issues (CVE-2024-22406 and CVE-2024-42357).

While the Security Plugin was meant to retrospectively patch these vulnerabilities in older Shopware versions, the implementation left systems exposed through nested API requests.

This oversight creates a significant security gap for e-commerce platforms relying on the plugin for protection while delaying full version upgrades.

SQL injection attacks allow malicious actors to manipulate database queries, potentially leading to unauthorized access to sensitive customer data, transaction records, or even complete system compromise.

The severity varies depending on which users have access to Shopware APIs, with the risk particularly high if search-related endpoints of the Store API are publicly exposed.

Red Team Pentesting researchers identified the vulnerability on February 12, 2025, noting that while the security plugin correctly patches the vulnerability in the name field of aggregations objects, it fails to sanitize nested aggregation objects that can be used recursively.

Exploitable Pathway

This oversight creates an exploitable pathway for attackers with access to either the Shopware Store API or Admin API.

The technical vulnerability exists in how the plugin handles aggregations fields used in API endpoints such as “/api/search/order”. The following code snippet demonstrates the incomplete fix in the security plugin:-

class PatchedAggregationParser extends AggregationParser
{
    public function buildAggregations(EntityDefinition $definition, array $payload, Criteria $criteria, SearchRequestException $searchRequestException): void
    {
        parent::buildAggregations($definition, $payload, $criteria, $searchRequestException);
        foreach ($criteria->getAggregations() as $i => $aggregation) {
            if (str_contains($aggregation->getName(), '?') || str_contains($aggregation->getName(), ':')) {
                $searchRequestException->add(new InvalidAggregationQueryException('Invalid character in aggregation name'));
            }
        }
    }
}

The foreach loop only checks the topmost name field of the aggregations, allowing attackers to inject symbols like “?” or “:” in nested aggregation objects.

Attackers can exploit this by crafting specially designed queries that manipulate the database through prepared statement mechanisms.

Shopware has released Security Plugin 6 version 2.0.11 to address this vulnerability.

Alternatively, users can upgrade to Shopware 6.5.8.13 or 6.6.5.1, which fix the issue independently of the security plugin. Given the potential for privilege escalation and data compromise, immediate patching is strongly recommended.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try 50 Request for Free