Mass Newsletter Sign-Up Vulnerability in Shopware E-commerce Platform
CVE-2025-32378

6.9MEDIUM

Key Information:

Vendor: Shopware
Status: Shopware
Vendor: CVE Published:; 9 April 2025

What is CVE-2025-32378?

The Shopware e-commerce platform, prior to versions 6.6.10.3 and 6.5.8.17, is affected by a vulnerability that allows for mass unsolicited newsletter sign-ups. This occurs due to default configurations that enable the double opt-in feature for newsletters but leave certain options disabled, such as the requirement for email confirmation for newsletter subscriptions. As a result, users can register accounts with any email address and subscribe to newsletters without needing to verify their email. This flaw can lead to misuse for spam and other malicious activities. Users are advised to update to the patched versions to secure their platforms.

Affected Version(s)

shopware < 6.5.8.17 < 6.5.8.17

shopware >= 6.6.0.0, < 6.6.10.3 < 6.6.0.0, 6.6.10.3

shopware >= 6.7.0.0-rc1, < 6.7.0.0-rc2 < 6.7.0.0-rc1, 6.7.0.0-rc2

References

https://github.com/shopware/shopware/security/advisories/...

x_refsource_CONFIRM

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2025
Vulnerability Reserved
Apr 6, 2025