N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-32378

GHSA ID

GHSA-4h9w-7vfp-px8m

EPSS Score

0.02474%

CWE

CWE-1188

Published

4/9/2025

Updated

4/9/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-32378

CVE-2025-32378: Shopware default newsletter opt-in settings allow for mass sign-up abuse

Impact

Currently the default settings for double-opt-in allow for mass unsolicited newsletter sign-ups without confirmation.

Default settings are:

Newsletter: Double Opt-in - active

Newsletter: Double opt-in for registered customers - disabled

Log-in & sign-up: Double opt-in on sign-up - disabled

With these settings, anyone can register an account on the shop using any e-mail-address and then check the check-box in the account page to sign up for the newsletter. The recipient will receive two mails confirming registering and signing up for the newsletter, no confirmation link needed to be clicked for either. In the backend the recipient is set to “instantly active”.

Patches

Update to Shopware 6.6.10.3 or 6.5.8.17

Workarounds

For older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-32378

GHSA ID

GHSA-4h9w-7vfp-px8m

EPSS Score

0.02474%

CWE

CWE-1188

Published

4/9/2025

Updated

4/9/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
shopware/core	composer	>= 6.6.0.0-rc1, < 6.6.10.3	6.6.10.3
shopware/platform	composer	>= 6.6.0.0-rc1, < 6.6.10.3	6.6.10.3
shopware/platform	composer	>= 6.7.0.0-rc1, < 6.7.0.0-rc2	6.7.0.0-rc2
shopware/core	composer	>= 6.7.0.0-rc1, < 6.7.0.0-rc2	6.7.0.0-rc2
shopware/core	composer	< 6.5.8.17	6.5.8.17
shopware/platform	composer	< 6.5.8.17	6.5.8.17

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability allows mass unsolicited newsletter sign-ups due to default double-opt-in (DOI) settings. The provided patch (commit 9786aaddd452ec54cb5a05c7abf71b24d7229d6f) modifies NewsletterSubscribeRoute.php. The core of the fix lies in changing the logic of the isNewsletterDoi method to correctly evaluate DOI requirements, especially for registered customers subscribing with an email different from their account email when 'doubleOptInRegistered' is disabled but general 'doubleOptIn' is enabled. The subscribe method, which is the main entry point for subscriptions, and getOptionSelection, which determines the initial subscription status, were both updated to use this corrected isNewsletterDoi logic. Therefore, the pre-patch versions of these three methods (subscribe, isNewsletterDoi, and getOptionSelection) are identified as the key functions involved in the vulnerability, as their original logic led to the bypass of the DOI mechanism under the described default settings.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *urr*ntly t** ****ult s*ttin*s *or *ou*l*-opt-in *llow *or m*ss unsoli*it** n*wsl*tt*r si*n-ups wit*out *on*irm*tion. ****ult s*ttin*s *r*: N*wsl*tt*r: *ou*l* Opt-in - **tiv* N*wsl*tt*r: *ou*l* opt-in *or r**ist*r** *ustom*rs - *is**l*

Reasoning

T** vuln*r**ility *llows m*ss unsoli*it** n*wsl*tt*r si*n-ups *u* to ****ult *ou*l*-opt-in (*OI) s*ttin*s. T** provi*** p*t** (*ommit ****************************************) mo*i*i*s `N*wsl*tt*rSu*s*ri**Rout*.p*p`. T** *or* o* t** *ix li*s in ***n*

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-32378: Shopware default newsletter opt-in settings allow for mass sign-up abuse

Impact

Patches

Workarounds

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI