Shopper
Monthly
Authorization bypass in Shopperlabs Shopper headless e-commerce admin panel prior to 2.8.0 allows authenticated low-privilege users with read-only order permissions to mutate every order in the panel and trigger real Payment Service Provider captures via Filament admin actions. The flaw spans multiple Livewire components beyond orders - including product sub-forms, team settings, and RBAC management - enabling privilege escalation up to role creation and user deletion. No public exploit identified at time of analysis, but a detailed GitHub Security Advisory and patch diff are public.
Discount over-redemption via race condition in Shopper (shopperlabs/shopper prior to v2.8.0) allows concurrent unauthenticated checkout requests to bypass a coupon's global usage_limit, resulting in committed orders carrying unauthorized discounts the merchant never intended to grant. The CreateOrderFromCartAction::execute method created the Order database row before atomically reserving the discount slot, opening a classic TOCTOU window that becomes reliably exploitable under the high-concurrency traffic of flash sales or Black Friday events. A compounding bug rendered usage_limit_per_user entirely non-functional in all pre-2.8.0 versions - the underlying counter was never incremented anywhere in the codebase - meaning per-user caps provided zero protection regardless of a customer's redemption history. No public exploit identified at time of analysis; this CVE is not listed in CISA KEV.
Privilege escalation in shopperlabs/shopper prior to 2.8.0 allows any authenticated admin panel user - regardless of assigned role - to mutate pricing, inventory, SEO metadata, shipping dimensions, and attached media for any product by exploiting missing authorization on Livewire sub-form component store() methods. Because the product ID was accepted as an unlocked public Livewire property, attackers could additionally target arbitrary products by tampering with the wire payload from the client side, not just products they otherwise interact with. No active exploitation confirmed (not in CISA KEV), and no standalone POC code has been published, though the remediation PR diff is publicly available.
Privilege escalation in Shopper headless e-commerce admin panel prior to version 2.8.0 allows any low-privilege authenticated panel user to seize full administrator control by chaining two distinct broken-authorization defects in the team settings module. By combining an unprotected Settings/Team/Index mount with a RolePermission write path that only checks the read-only view_users permission, an attacker can mint new roles, grant themselves manage_users and edit_orders, and delete legitimate administrators. No public exploit identified at time of analysis, but the bugs are straightforward to weaponize once panel credentials are obtained.
Missing authorization enforcement in the Shopper headless e-commerce admin panel (all versions prior to 2.8.0) allows any authenticated low-privilege panel user to disable payment methods, alter the default currency, or disable carriers - actions that should be restricted by per-action permissions. The business impact is severe: a malicious or compromised low-privilege account can cause a complete denial of checkout and undermine pricing integrity across the store. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Authorization bypass in Shopperlabs Shopper headless e-commerce admin panel prior to 2.8.0 allows authenticated low-privilege users with read-only order permissions to mutate every order in the panel and trigger real Payment Service Provider captures via Filament admin actions. The flaw spans multiple Livewire components beyond orders - including product sub-forms, team settings, and RBAC management - enabling privilege escalation up to role creation and user deletion. No public exploit identified at time of analysis, but a detailed GitHub Security Advisory and patch diff are public.
Discount over-redemption via race condition in Shopper (shopperlabs/shopper prior to v2.8.0) allows concurrent unauthenticated checkout requests to bypass a coupon's global usage_limit, resulting in committed orders carrying unauthorized discounts the merchant never intended to grant. The CreateOrderFromCartAction::execute method created the Order database row before atomically reserving the discount slot, opening a classic TOCTOU window that becomes reliably exploitable under the high-concurrency traffic of flash sales or Black Friday events. A compounding bug rendered usage_limit_per_user entirely non-functional in all pre-2.8.0 versions - the underlying counter was never incremented anywhere in the codebase - meaning per-user caps provided zero protection regardless of a customer's redemption history. No public exploit identified at time of analysis; this CVE is not listed in CISA KEV.
Privilege escalation in shopperlabs/shopper prior to 2.8.0 allows any authenticated admin panel user - regardless of assigned role - to mutate pricing, inventory, SEO metadata, shipping dimensions, and attached media for any product by exploiting missing authorization on Livewire sub-form component store() methods. Because the product ID was accepted as an unlocked public Livewire property, attackers could additionally target arbitrary products by tampering with the wire payload from the client side, not just products they otherwise interact with. No active exploitation confirmed (not in CISA KEV), and no standalone POC code has been published, though the remediation PR diff is publicly available.
Privilege escalation in Shopper headless e-commerce admin panel prior to version 2.8.0 allows any low-privilege authenticated panel user to seize full administrator control by chaining two distinct broken-authorization defects in the team settings module. By combining an unprotected Settings/Team/Index mount with a RolePermission write path that only checks the read-only view_users permission, an attacker can mint new roles, grant themselves manage_users and edit_orders, and delete legitimate administrators. No public exploit identified at time of analysis, but the bugs are straightforward to weaponize once panel credentials are obtained.
Missing authorization enforcement in the Shopper headless e-commerce admin panel (all versions prior to 2.8.0) allows any authenticated low-privilege panel user to disable payment methods, alter the default currency, or disable carriers - actions that should be restricted by per-action permissions. The business impact is severe: a malicious or compromised low-privilege account can cause a complete denial of checkout and undermine pricing integrity across the store. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.