Skip to main content

Shopper CVE-2026-47745

| EUVDEUVD-2026-33406 MEDIUM
Missing Authorization (CWE-862)
2026-05-29 GitHub_M GHSA-fxqw-97cc-7g5c
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch available
May 29, 2026 - 20:02 EUVD
Source Code Evidence Fetched
May 29, 2026 - 18:59 vuln.today
Analysis Generated
May 29, 2026 - 18:59 vuln.today

DescriptionGitHub Advisory

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, the admin tables for PaymentMethods, Currencies and Carriers exposed inline toggles and per-record actions (enable, disable, edit, delete) that were rendered for any authenticated panel user without checking the corresponding per-action permission. A low-privilege user could disable every payment method on the store, disable or alter the default currency, or disable carriers. The impact is a full denial of checkout and pricing integrity loss, reachable by any authenticated user. This vulnerability is fixed in 2.8.0.

AnalysisAI

Missing authorization enforcement in the Shopper headless e-commerce admin panel (all versions prior to 2.8.0) allows any authenticated low-privilege panel user to disable payment methods, alter the default currency, or disable carriers - actions that should be restricted by per-action permissions. The business impact is severe: a malicious or compromised low-privilege account can cause a complete denial of checkout and undermine pricing integrity across the store. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Technical ContextAI

Shopper is a Laravel-based headless e-commerce admin panel built with Livewire PHP components (CPE: cpe:2.3:a:shopperlabs:shopper:*:*:*:*:*:*:*:*). The root cause is CWE-862 (Missing Authorization): the Livewire components backing the PaymentMethods, Currencies, and Carriers admin tables rendered inline toggle controls and per-record action buttons (enable, disable, edit, delete) for all authenticated panel users without consulting the application's role-based permission system. The fix in PR #511 addresses this across a broad set of Livewire components by adding the Livewire #[Locked] attribute to protect server-side component properties from client-side manipulation, and by inserting explicit $this->authorize() calls (e.g., $this->authorize('edit_orders')) into action methods. The scope of the fix extends beyond the three named tables to cover customer, order, and product management components as well.

RemediationAI

Upgrade Shopper to version 2.8.0, which is the vendor-confirmed patched release per GitHub Security Advisory GHSA-fxqw-97cc-7g5c (https://github.com/shopperlabs/shopper/security/advisories/GHSA-fxqw-97cc-7g5c) and PR #511 (https://github.com/shopperlabs/shopper/pull/511). If an immediate upgrade is not feasible, a targeted compensating control is to restrict admin panel access so that no untrusted or low-privilege accounts can log in until the patch is applied - this directly eliminates the PR:L attack surface. There is no known configuration toggle to disable the affected inline actions without modifying source code. Applying network-level access controls to the admin panel (e.g., IP allowlisting or VPN-only access) reduces exposure but does not eliminate risk from insider accounts already holding valid low-privilege sessions.

Share

CVE-2026-47745 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy