I think you meant is NOT vulnerable by default =) which is what I thought. I can basically appeal this finding with them, but I wanted to run this by the group before doing that just to make sure.
Basically the vulnerability is with product attributes. Take a look at this page:
It's saying that arbitrary SQL can be injected into the product attribute?? Can anyone confirm this? If not, I will contact them and ask them to elaborate on exactly what SQL was injected.