Description
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Sub-form Livewire components used in the product editor (Edit, Inventory, Seo, Shipping, Files) had no authorization on their store() method. Any authenticated panel user, regardless of role, could mutate any product's pricing, stock, SEO metadata, shipping dimensions, and attached media without holding edit_products. The affected components accepted the product ID as a public Livewire property without #[Locked], so an attacker could also target an arbitrary product by tampering with the wire payload from the client. This vulnerability is fixed in 2.8.0.
Published: 2026-05-29
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is caused by missing authorization checks in the store() methods of the Product editor's Livewire sub‑form components in Shopper. Any authenticated admin panel user, regardless of role, may submit a Livewire request to mutate a product's price, inventory, SEO metadata, shipping dimensions, or attached files. This allows an attacker to alter critical product information without the required edit_products permission, effectively compromising the integrity of the catalog.

Affected Systems

ShopperLabs Shopper, prior to version 2.8.0. The authorization flaw exists in all sub‑form components involved in editing product details such as pricing, inventory, SEO, shipping, and media attachments.

Risk and Exploitability

The vulnerability is rated CVSS 6.5 and is not listed in the KEV catalog. The EPSS score is not available. An attacker must be authenticated to the admin interface and can then manipulate the livewire payload to target any product ID. The likely attack vector is a legitimate authenticated user within the admin panel. While the flaw lacks a remote execution path, it represents a medium‑risk integrity violation that could lead to significant operational impact if misused.

Generated by OpenCVE AI on May 29, 2026 at 19:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Shopper to version 2.8.0 or later, where the store() methods now enforce edit_products authorization.
  • Ensure that any custom Livewire components validating product identifiers are decorated with #[Locked] or otherwise validated to prevent tampering.
  • Review and tighten role permissions, ensuring only users with edit_products privilege can access the product editor, and monitor for unauthorized product modifications.

Generated by OpenCVE AI on May 29, 2026 at 19:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h4mp-g9c6-xwph Shopper: Missing authorization on Product admin Livewire sub-form components
History

Mon, 01 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 30 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Shopperlabs
Shopperlabs shopper
Vendors & Products Shopperlabs
Shopperlabs shopper

Fri, 29 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Sub-form Livewire components used in the product editor (Edit, Inventory, Seo, Shipping, Files) had no authorization on their store() method. Any authenticated panel user, regardless of role, could mutate any product's pricing, stock, SEO metadata, shipping dimensions, and attached media without holding edit_products. The affected components accepted the product ID as a public Livewire property without #[Locked], so an attacker could also target an arbitrary product by tampering with the wire payload from the client. This vulnerability is fixed in 2.8.0.
Title Shopper: Missing authorization on Product admin Livewire sub-form components
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Shopperlabs Shopper
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-01T15:19:52.067Z

Reserved: 2026-05-19T22:16:39.504Z

Link: CVE-2026-47742

cve-icon Vulnrichment

Updated: 2026-06-01T15:19:48.626Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T19:16:25.900

Modified: 2026-05-29T20:17:38.110

Link: CVE-2026-47742

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T21:18:08Z

Weaknesses