A critical vulnerability has been identified in EverShop, described as a Second-Order SQL Injection with a CVSS v4 score of 9.3, potentially exposing stores running vulnerable versions. The flaw centres on the url_key field, which defines product category URLs and enables malicious data stored in the database to be executed later when the application retrieves it.
The advisory explains that during category update and deletion event handling, path and request_path values can be embedded into SQL statements via string concatenation, turning stored data into a weaponised query. An attacker who can modify a category’s URL key—possibly via a compromised low-level account or another flaw—could plant a malicious SQL command and trigger later execution.
The issue has been addressed in a latest update, and EverShop users are advised to upgrade to version 2.1.1 or higher to neutralise the risk. EverShop is described as a modern, developer-focused e-commerce platform built on React and GraphQL.