Description
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Multiple Filament actions on the admin Order detail and Order shipments table were callable by an authenticated low-privilege user without the permission required to mutate orders. The order detail actions cancel, mark paid, mark complete, capture payment, archive, and start processing were callable with the read-only read_orders permission and did not require edit_orders. capturePayment could trigger an actual PSP capture (real funds movement). The order shipments table actions mark delivered and edit tracking were callable with the read-only browse_orders permission. A user with read access to orders could therefore alter the lifecycle of every order in the panel and trigger real-world payment captures. This vulnerability is fixed in 2.8.0.
Published: 2026-05-29
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Shopper, a headless e-commerce admin panel, contains an authorization bypass that lets an authenticated user with only read‑level permissions modify orders. Prior to version 2.8.0, users with the read_orders permission could trigger actions such as cancel, mark paid, mark complete, capture payment, archive, and start processing on the order detail view, while users with the browse_orders permission could mark shipments as delivered or edit tracking. The capturePayment action could move real funds through a payment service provider, allowing an attacker to alter order state and initiate payment capture without proper authorization. This flaw violates both the Authentication and Authorization control categories.

Affected Systems

Shopper Labs' Shopper Headless e-commerce Admin Panel, any installed instance using a version older than 2.8.0. No specific vendor sub‑versions were listed in the advisories, but all releases before the 2.8.0 milestone are affected.

Risk and Exploitability

The CVSS score of 8.1 indicates a high‑severity flaw. The EPSS score is not available, and the vulnerability is not in the CISA KEV catalog, suggesting no known widespread exploitation yet. The likely attack vector is an internal exploitation of the admin interface, requiring only authenticated access with read‑only roles. Once the low‑privilege user sends a request to these endpoints, the system performs the requested state change and, in the case of capturePayment, executes an external transaction. The scope affects all orders within the panel, potentially compromising the entire e‑commerce lifecycle of the affected organization.

Generated by OpenCVE AI on May 29, 2026 at 19:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Shopper to version 2.8.0 or later.
  • After upgrading, review and enforce that read‑only permissions (read_orders, browse_orders) cannot invoke mutation actions such as cancel, mark paid, or capture payment.
  • Validate that all user roles are correctly mapped, ensuring that only users with edit_orders or equivalent rights can perform order‑mutation actions.

Generated by OpenCVE AI on May 29, 2026 at 19:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f946-9qp6-vgch shopper/framework: Authorization bypass in multiple Livewire admin components
History

Tue, 02 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 30 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Shopperlabs
Shopperlabs shopper
Vendors & Products Shopperlabs
Shopperlabs shopper

Fri, 29 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Multiple Filament actions on the admin Order detail and Order shipments table were callable by an authenticated low-privilege user without the permission required to mutate orders. The order detail actions cancel, mark paid, mark complete, capture payment, archive, and start processing were callable with the read-only read_orders permission and did not require edit_orders. capturePayment could trigger an actual PSP capture (real funds movement). The order shipments table actions mark delivered and edit tracking were callable with the read-only browse_orders permission. A user with read access to orders could therefore alter the lifecycle of every order in the panel and trigger real-world payment captures. This vulnerability is fixed in 2.8.0.
Title Shopper: Authorization bypass in multiple Livewire admin components
Weaknesses CWE-285
CWE-862
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Shopperlabs Shopper
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-02T01:50:53.411Z

Reserved: 2026-05-19T22:16:39.504Z

Link: CVE-2026-47740

cve-icon Vulnrichment

Updated: 2026-06-02T01:50:48.536Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T19:16:25.620

Modified: 2026-05-29T20:17:38.110

Link: CVE-2026-47740

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T21:18:05Z

Weaknesses