Skip to main content

Shopper Framework CVE-2026-47743

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-05 https://github.com/shopperlabs/shopper GHSA-hr9v-r8r2-hg7j
8.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 05, 2026 - 21:15 vuln.today
Analysis Generated
Jun 05, 2026 - 21:15 vuln.today

DescriptionGitHub Advisory

Impact

Three related defects on admin Livewire components allowed data tampering, sensitive data disclosure, and stored XSS:

  • IDOR via unlocked properties. Several Livewire components in the admin panel exposed Eloquent model identifiers as public properties without the #[Locked] attribute. An authenticated user could rewrite the wire payload from the browser to target any record id, bypassing the implicit scoping enforced by the page routing.
  • Sensitive data echoed back through Hidden form field. Customers/Create::store() re-passed a Hidden _password form field straight into the create payload. The plaintext password was rendered into the HTML and transported through the Livewire snapshot in clear text, exposing credentials in the page DOM and in any logging that captures Livewire payloads.
  • Stored XSS on product barcode. The product barcode field was rendered through DNS1DFacade::getBarcodeHTML() with {!! !!}. An attacker with edit_products permission could persist malicious payload in the barcode field that would execute in the browser of any admin user viewing that product, enabling session theft and privileged-action chaining.

Patches

Fixed in v2.8.0:

  • All vulnerable Livewire model identifiers are now marked #[Locked].
  • Customers/Create no longer round-trips the password through a Hidden form field; the plaintext password is hashed at action boundary and never returned to the client.
  • The product barcode rendering now escapes the value before passing it to the barcode generator and the output is wrapped in an <svg> context that does not interpret event handlers.

Upgrade via:

bash
composer require shopper/admin:^2.8

Workarounds

None. Upgrade to v2.8.0.

AnalysisAI

Stored XSS, IDOR, and credential disclosure in Shopper Framework admin Livewire components (versions < 2.8.0) allow authenticated admin users to tamper with arbitrary records, harvest plaintext customer passwords from the page DOM, and persist JavaScript payloads in product barcode fields that execute against any admin viewing the product. The combined issues enable session hijacking and privileged-action chaining within the Laravel-based e-commerce admin panel; no public exploitation has been reported and no public exploit identified at time of analysis.

Technical ContextAI

Shopper is a Laravel/Livewire-based open-source e-commerce administration framework distributed via Composer as shopper/framework (pkg:composer/shopper_framework). The root causes span three CWE-79-adjacent flaws in Livewire components: (1) public component properties holding Eloquent model IDs were not annotated with Livewire's #[Locked] attribute, allowing client-side wire-snapshot tampering to swap target record IDs (an IDOR pattern, CWE-639); (2) Customers/Create::store() round-tripped a plaintext _password value through a Hidden form field, embedding credentials in the rendered HTML and Livewire snapshot (CWE-200/CWE-319); and (3) the product barcode value was rendered via DNS1DFacade::getBarcodeHTML() inside Blade's unescaped {!! !!} directive, yielding stored XSS (CWE-79). The v2.8.0 patch adds #[Locked] across Customers, Orders, and Products Livewire components, hashes the password at the action boundary instead of returning it to the client, and escapes the barcode value while wrapping the output in an <svg> context that does not evaluate event handlers.

RemediationAI

Vendor-released patch: 2.8.0 - upgrade immediately with composer require shopper/admin:^2.8 (or update the shopper/framework constraint to ^2.8.0 in composer.json and run composer update shopper/framework), per https://github.com/shopperlabs/shopper/security/advisories/GHSA-hr9v-r8r2-hg7j. The vendor explicitly states there are no workarounds, so unpatched deployments should at minimum tighten admin-panel access at the network edge (IP allowlist or VPN-gate /admin routes) and audit role assignments to revoke edit_products from any non-trusted staff accounts, accepting that this only blunts the stored-XSS path and does not address IDOR or the password disclosure in Customers/Create. Operators should also rotate any customer passwords created through the admin Customers/Create flow on pre-2.8.0 versions since they may have been exposed in DOM snapshots or request logs, and scrub Livewire payload captures from log retention systems.

Share

CVE-2026-47743 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy