A critical security flaw has been discovered in the Shopware Security Plugin—ironically, a tool meant to fix vulnerabilities in older Shopware versions. Instead of shielding e-commerce systems, version 2.0.10 of the plugin introduced a new risk: exposure to SQL injection attacks.
This vulnerability affects Shopware installations running versions older than 6.5.8.13 and 6.6.5.1. Attackers could potentially gain unauthorized access to backend databases with both read and write privileges, posing a major threat to sensitive data, including customer information and transaction history.
The issue stems from an incomplete patch for previously reported SQL injection bugs (CVE-2024-22406 and CVE-2024-42357). While the plugin was built to retroactively secure outdated Shopware setups, it fails to fully sanitize user input in nested API requests—leaving a backdoor open for malicious actors.
How the Shopware SQL Injection Vulnerability Works
SQL injection vulnerabilities allow attackers to tamper with backend queries and inject malicious commands into databases. In this case, the risk becomes especially serious when certain Store API endpoints, such as search functions, are exposed publicly. That exposure broadens the attack surface significantly, particularly for unauthenticated users.
The flaw was flagged by researchers from Red Team Pentesting on February 12, 2025. Their analysis revealed that the plugin correctly blocks dangerous characters like ? and : in the top-level name field of aggregation objects. However, the fix overlooks recursive nesting within those aggregations—creating a loophole hackers can exploit.
Vulnerable Code and Exploitable Paths
The vulnerability lies in how the plugin handles aggregation fields in endpoints like /api/search/order. The code below, from the flawed plugin version, shows the limitation:
phpCopyEditclass PatchedAggregationParser extends AggregationParser
{
public function buildAggregations(EntityDefinition $definition, array $payload, Criteria $criteria, SearchRequestException $searchRequestException): void
{
parent::buildAggregations($definition, $payload, $criteria, $searchRequestException);
foreach ($criteria->getAggregations() as $i => $aggregation) {
if (str_contains($aggregation->getName(), '?') || str_contains($aggregation->getName(), ':')) {
$searchRequestException->add(new InvalidAggregationQueryException('Invalid character in aggregation name'));
}
}
}
}
The loop only checks for unsafe characters at the top level. But attackers can craft deeply nested aggregation queries, slipping past this filter and executing malicious SQL commands using prepared statements.
Immediate Patch and Upgrade Recommendations
To fix this vulnerability, Shopware released Security Plugin 6 version 2.0.11, which addresses the recursive sanitization issue. Users are strongly urged to upgrade the plugin immediately.
Alternatively, migrating to Shopware version 6.5.8.13 or 6.6.5.1 will also resolve the issue—without relying on the plugin. For online stores handling sensitive customer data or financial transactions, patching this vulnerability is crucial to avoid privilege escalation or full database compromise.
As this incident shows, even tools designed to protect can become attack vectors if not carefully implemented. Staying updated is the best defense.
