Shopper Framework CVE-2026-47743
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Impact
Three related defects on admin Livewire components allowed data tampering, sensitive data disclosure, and stored XSS:
- IDOR via unlocked properties. Several Livewire components in the admin panel exposed Eloquent model identifiers as public properties without the
#[Locked]attribute. An authenticated user could rewrite the wire payload from the browser to target any record id, bypassing the implicit scoping enforced by the page routing. - Sensitive data echoed back through Hidden form field.
Customers/Create::store()re-passed aHidden_passwordform field straight into the create payload. The plaintext password was rendered into the HTML and transported through the Livewire snapshot in clear text, exposing credentials in the page DOM and in any logging that captures Livewire payloads. - Stored XSS on product barcode. The product barcode field was rendered through
DNS1DFacade::getBarcodeHTML()with{!! !!}. An attacker withedit_productspermission could persist malicious payload in the barcode field that would execute in the browser of any admin user viewing that product, enabling session theft and privileged-action chaining.
Patches
Fixed in v2.8.0:
- All vulnerable Livewire model identifiers are now marked
#[Locked]. Customers/Createno longer round-trips the password through a Hidden form field; the plaintext password is hashed at action boundary and never returned to the client.- The product barcode rendering now escapes the value before passing it to the barcode generator and the output is wrapped in an
<svg>context that does not interpret event handlers.
Upgrade via:
composer require shopper/admin:^2.8Workarounds
None. Upgrade to v2.8.0.
AnalysisAI
Stored XSS, IDOR, and credential disclosure in Shopper Framework admin Livewire components (versions < 2.8.0) allow authenticated admin users to tamper with arbitrary records, harvest plaintext customer passwords from the page DOM, and persist JavaScript payloads in product barcode fields that execute against any admin viewing the product. The combined issues enable session hijacking and privileged-action chaining within the Laravel-based e-commerce admin panel; no public exploitation has been reported and no public exploit identified at time of analysis.
Technical ContextAI
Shopper is a Laravel/Livewire-based open-source e-commerce administration framework distributed via Composer as shopper/framework (pkg:composer/shopper_framework). The root causes span three CWE-79-adjacent flaws in Livewire components: (1) public component properties holding Eloquent model IDs were not annotated with Livewire's #[Locked] attribute, allowing client-side wire-snapshot tampering to swap target record IDs (an IDOR pattern, CWE-639); (2) Customers/Create::store() round-tripped a plaintext _password value through a Hidden form field, embedding credentials in the rendered HTML and Livewire snapshot (CWE-200/CWE-319); and (3) the product barcode value was rendered via DNS1DFacade::getBarcodeHTML() inside Blade's unescaped {!! !!} directive, yielding stored XSS (CWE-79). The v2.8.0 patch adds #[Locked] across Customers, Orders, and Products Livewire components, hashes the password at the action boundary instead of returning it to the client, and escapes the barcode value while wrapping the output in an <svg> context that does not evaluate event handlers.
RemediationAI
Vendor-released patch: 2.8.0 - upgrade immediately with composer require shopper/admin:^2.8 (or update the shopper/framework constraint to ^2.8.0 in composer.json and run composer update shopper/framework), per https://github.com/shopperlabs/shopper/security/advisories/GHSA-hr9v-r8r2-hg7j. The vendor explicitly states there are no workarounds, so unpatched deployments should at minimum tighten admin-panel access at the network edge (IP allowlist or VPN-gate /admin routes) and audit role assignments to revoke edit_products from any non-trusted staff accounts, accepting that this only blunts the stored-XSS path and does not address IDOR or the password disclosure in Customers/Create. Operators should also rotate any customer passwords created through the admin Customers/Create flow on pre-2.8.0 versions since they may have been exposed in DOM snapshots or request logs, and scrub Livewire payload captures from log retention systems.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-hr9v-r8r2-hg7j