Shopware
Moderate fix4 remedies
cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*
Moderate fix4 remedies
- < 6.5.8.17
- >= 6.6.0.0, <= 6.6.10.2
- 6.7.0.0-rc1
Shopware Default Double Opt-In Settings Vulnerability Allowing Unsolicited Newsletter Sign-Ups
Vulnerability
Patched
A vulnerability in Shopware's default double-opt-in newsletter settings allows for mass unsolicited sign-ups without confirmation. This issue affects Shopware versions prior to 6.5.8.17 and versions 6.6.0.0 through 6.6.10.2, as well as 6.7.0.0-rc1. With the default settings, anyone can register an account using any email address and sign up for the newsletter without needing to click a confirmation link. The recipient receives two confirmation emails, and their subscription is activated immediately in the backend.
Impact
Exploitation of this vulnerability could lead to unauthorized newsletter sign-ups, causing potential spam issues and undermining the integrity of the newsletter system.
Remediation
Users can update to Shopware versions 6.5.8.17, 6.6.10.3, or 6.7.0.0-rc2 to address this vulnerability. For older versions of 6.4, corresponding security measures are available via a plugin.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
6.4impact
0.6exploitability
7.6remediation
7.7relevance
0.0threat
0.0urgency
2.9incentive
5.8Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.