CVE-2026-47745: Missing Authorization in Shopper Admin Panel Settings
Vulnerability ID: CVE-2026-47745
CVSS Score: 6.5
Published: 2026-06-05
Shopper is an open-source headless e-commerce administration panel built on Laravel, Livewire, and Filament. Prior to version 2.8.0, the admin tables for PaymentMethods, Currencies, and Carriers exposed inline toggles and per-record actions that could be modified by any authenticated user without verifying the corresponding administrative permissions on the backend.
TL;DR
Missing server-side authorization checks in Shopper e-commerce admin panels allow any authenticated user to disable payment methods, currencies, and carrier configurations via forged Livewire update requests.
Technical Details
- CWE ID: CWE-862
- Attack Vector: Network (AV:N)
- CVSS Score: 6.5
- EPSS Score: 0.00029
- Exploit Status: none
- CISA KEV Status: Not Listed
Affected Systems
- Shopper (Laravel/Livewire/Filament E-Commerce Administration Panel)
-
Shopper: < 2.8.0 (Fixed in:
2.8.0)
Code Analysis
Commit: fcd0c59
Comprehensive administrative panel hardening including backend authorization checks for carriers, currencies, and payment methods configurations
Mitigation Strategies
- Upgrade the shopperlabs/shopper package to version 2.8.0 or newer
- Apply backend policies and permissions controls using standard Filament authorization features
Remediation Steps:
- Run 'composer update shopperlabs/shopper' to pull the secure release version
- Audit existing staff roles to verify that settings permissions are restricted appropriately
- Implement application monitoring to track access to administrative settings pages
References
- GitHub Security Advisory GHSA-fxqw-97cc-7g5c
- GitHub Pull Request 511
- Official Patch Commit
- CVE.org Record
Read the full report for CVE-2026-47745 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)