CVE-2026-47744: Improper Privilege Management and State Tampering in Shopper E-commerce Administration Panel
Vulnerability ID: CVE-2026-47744
CVSS Score: 9.9
Published: 2026-06-05
Shopper, an open-source headless e-commerce administration panel, is vulnerable to a critical privilege escalation and state tampering vulnerability. By exploiting missing page authorization and improper permission checks in the team settings component, combined with unlocked Livewire model properties, any authenticated low-privilege user can escalate their role to administrator. This allows full control over the e-commerce configuration, customer data, and order states.
TL;DR
A critical privilege escalation flaw in Shopper allows low-privilege panel users to bypass access controls, gain administrative privileges, and tamper with arbitrary orders and customer records due to missing authorization gates and unlocked Livewire properties.
Technical Details
- CWE ID: CWE-269
- Attack Vector: Network
- CVSS Score: 9.9 (Critical)
- Exploit Status: No public PoC
- Affected Versions: < 2.8.0
- Patched Version: 2.8.0
Affected Systems
- Shopper (shopperlabs/shopper)
Mitigation Strategies
- Upgrade to Shopper version 2.8.0 or higher.
- Implement explicit mount() authorization checks in all Livewire components.
- Use Livewire's #[Locked] attribute for public model properties to prevent state tampering.
- Apply WAF rules to intercept unauthorized requests targeting administrative Livewire endpoints.
Remediation Steps:
- Update shopperlabs/shopper requirement in composer.json to '^2.8.0'.
- Run 'composer update shopperlabs/shopper'.
- Run 'php artisan cache:clear', 'php artisan view:clear', and 'php artisan route:clear' to clear and rebuild caches.
- Verify that all staff accounts have correct roles and permissions in the database.
Read the full report for CVE-2026-47744 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)