Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, the admin tables for PaymentMethods, Currencies and Carriers exposed inline toggles and per-record actions (enable, disable, edit, delete) that were rendered for any authenticated panel user without checking the corresponding per-action permission. A low-privilege user could disable every payment method on the store, disable or alter the default currency, or disable carriers. The impact is a full denial of checkout and pricing integrity loss, reachable by any authenticated user. This vulnerability is fixed in 2.8.0.
AnalysisAI
Missing authorization enforcement in the Shopper headless e-commerce admin panel (all versions prior to 2.8.0) allows any authenticated low-privilege panel user to disable payment methods, alter the default currency, or disable carriers - actions that should be restricted by per-action permissions. The business impact is severe: a malicious or compromised low-privilege account can cause a complete denial of checkout and undermine pricing integrity across the store. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Technical ContextAI
Shopper is a Laravel-based headless e-commerce admin panel built with Livewire PHP components (CPE: cpe:2.3:a:shopperlabs:shopper:*:*:*:*:*:*:*:*). The root cause is CWE-862 (Missing Authorization): the Livewire components backing the PaymentMethods, Currencies, and Carriers admin tables rendered inline toggle controls and per-record action buttons (enable, disable, edit, delete) for all authenticated panel users without consulting the application's role-based permission system. The fix in PR #511 addresses this across a broad set of Livewire components by adding the Livewire #[Locked] attribute to protect server-side component properties from client-side manipulation, and by inserting explicit $this->authorize() calls (e.g., $this->authorize('edit_orders')) into action methods. The scope of the fix extends beyond the three named tables to cover customer, order, and product management components as well.
RemediationAI
Upgrade Shopper to version 2.8.0, which is the vendor-confirmed patched release per GitHub Security Advisory GHSA-fxqw-97cc-7g5c (https://github.com/shopperlabs/shopper/security/advisories/GHSA-fxqw-97cc-7g5c) and PR #511 (https://github.com/shopperlabs/shopper/pull/511). If an immediate upgrade is not feasible, a targeted compensating control is to restrict admin panel access so that no untrusted or low-privilege accounts can log in until the patch is applied - this directly eliminates the PR:L attack surface. There is no known configuration toggle to disable the affected inline actions without modifying source code. Applying network-level access controls to the admin panel (e.g., IP allowlisting or VPN-only access) reduces exposure but does not eliminate risk from insider accounts already holding valid low-privilege sessions.
Privilege escalation in Shopper headless e-commerce admin panel prior to version 2.8.0 allows any low-privilege authenti
Authorization bypass in Shopperlabs Shopper headless e-commerce admin panel prior to 2.8.0 allows authenticated low-priv
Privilege escalation in shopperlabs/shopper prior to 2.8.0 allows any authenticated admin panel user - regardless of ass
Discount over-redemption via race condition in Shopper (shopperlabs/shopper prior to v2.8.0) allows concurrent unauthent
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33406
GHSA-fxqw-97cc-7g5c