CVE-2026-47742: CVE-2026-47742: Missing Authorization and Client-Side Property Tampering in Shopper E-commerce Panel

#security #cve #cybersecurity

CVE-2026-47742: Missing Authorization and Client-Side Property Tampering in Shopper E-commerce Panel

Vulnerability ID: CVE-2026-47742
CVSS Score: 6.5
Published: 2026-06-05

An authorization bypass and client-side property tampering vulnerability (CVE-2026-47742) in the Shopper headless admin panel (built on Laravel and Livewire) allows low-privileged users to modify arbitrary product records (Insecure Direct Object Reference). This occurs due to unlocked public model properties and a complete lack of access control checks on mutating sub-form store methods.

TL;DR

Low-privileged Shopper admin panel users can manipulate Livewire payloads to edit any product's pricing, inventory, SEO, and assets because mutating endpoints lacked authorization checks and model IDs were not locked.

⚠️ Exploit Status: POC

Technical Details

CWE ID: CWE-862, CWE-807
Attack Vector: Network (AV:N)
CVSS v3.1 Score: 6.5 (Medium)
EPSS Score: 0.00029 (Percentile: 8.91%)
Exploit Status: PoC / Conceptual
CISA KEV Status: Not Listed

Affected Systems

Shopper Headless E-commerce Admin Panel
shopper: < 2.8.0 (Fixed in: 2.8.0)

Code Analysis

Commit: fcd0c59

Fix authorization and model lock issues across Livewire components

Mitigation Strategies

Upgrade shopperlabs/shopper package to version 2.8.0 or later.
Manually apply Livewire #[Locked] attributes to product properties in vulnerable administrative components.
Enforce server-side $this->authorize('edit_products') inside Livewire store() methods.

Remediation Steps:

Run 'composer update shopperlabs/shopper' to pull down the patched release.
Audit application roles and verify that low-privileged staff do not possess access to mutating administrative endpoints.
Configure application firewalls (WAF) to log and filter Livewire model manipulation signatures.