Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Multiple Filament actions on the admin Order detail and Order shipments table were callable by an authenticated low-privilege user without the permission required to mutate orders. The order detail actions cancel, mark paid, mark complete, capture payment, archive, and start processing were callable with the read-only read_orders permission and did not require edit_orders. capturePayment could trigger an actual PSP capture (real funds movement). The order shipments table actions mark delivered and edit tracking were callable with the read-only browse_orders permission. A user with read access to orders could therefore alter the lifecycle of every order in the panel and trigger real-world payment captures. This vulnerability is fixed in 2.8.0.
AnalysisAI
Authorization bypass in Shopperlabs Shopper headless e-commerce admin panel prior to 2.8.0 allows authenticated low-privilege users with read-only order permissions to mutate every order in the panel and trigger real Payment Service Provider captures via Filament admin actions. The flaw spans multiple Livewire components beyond orders - including product sub-forms, team settings, and RBAC management - enabling privilege escalation up to role creation and user deletion. No public exploit identified at time of analysis, but a detailed GitHub Security Advisory and patch diff are public.
Technical ContextAI
Shopper is a Laravel/Filament-based headless e-commerce admin package (composer/shopper/framework) that uses Livewire components for interactive admin panels. The root cause is CWE-285 Improper Authorization (and CWE-862 Missing Authorization per the GHSA): Filament action callbacks and Livewire component store()/mount() methods did not invoke $this->authorize() against the correct ability, instead gating mutating operations on read-only permissions like read_orders, browse_orders, view_users, or no permission at all. Additionally, public Eloquent model properties on Livewire components were not annotated with the #[Locked] attribute, allowing clients to tamper with bound IDs and operate on records they should not access - the patch adds #[Locked] across Customer, Order, and Product components alongside explicit authorize() calls. A separate stored XSS via DNS1DFacade::getBarcodeHTML() rendered with {!! !!} on the product barcode field is also fixed in 2.8.0.
RemediationAI
Vendor-released patch: 2.8.0 - upgrade by running composer require shopper/admin:^2.8 shopper/cart:^2.8 shopper/core:^2.8 followed by php artisan migrate, per the GHSA-f946-9qp6-vgch advisory. The vendor explicitly states no workarounds exist; if an immediate upgrade is not possible, compensating controls include temporarily revoking all non-administrative roles (read_orders, browse_orders, view_users, and any custom roles missing edit_* abilities) so only fully trusted admins can reach the panel - accepting the operational cost that support and fulfillment staff lose admin access - and disabling external network access to the /admin (or configured Shopper) route via reverse-proxy IP allowlists to limit exposure to known operator workstations. Monitor PSP logs for unexpected capture events and Laravel audit logs for unauthorized cancel/mark-paid/mark-delivered actions until the upgrade lands. Review the patch commit fcd0c5920588702df5b874f432b1042abd77a50b and PR #511 (https://github.com/shopperlabs/shopper/pull/511) to confirm coverage of any locally forked components.
Privilege escalation in Shopper headless e-commerce admin panel prior to version 2.8.0 allows any low-privilege authenti
Privilege escalation in shopperlabs/shopper prior to 2.8.0 allows any authenticated admin panel user - regardless of ass
Missing authorization enforcement in the Shopper headless e-commerce admin panel (all versions prior to 2.8.0) allows an
Discount over-redemption via race condition in Shopper (shopperlabs/shopper prior to v2.8.0) allows concurrent unauthent
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33410
GHSA-f946-9qp6-vgch