CVE-2026-47742

MEDIUM 6.5

Shopper: Missing authorization on Product admin Livewire sub-form components

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

8th

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Sub-form Livewire components used in the product editor (Edit, Inventory, Seo, Shipping, Files) had no authorization on their store() method. Any authenticated panel user, regardless of role, could mutate any product's pricing, stock, SEO metadata, shipping dimensions, and attached media without holding edit_products. The affected components accepted the product ID as a public Livewire property without #[Locked], so an attacker could also target an arbitrary product by tampering with the wire payload from the client. This vulnerability is fixed in 2.8.0.

CWE	CWE-862
Vendor	shopperlabs
Product	shopper
Published	May 29, 2026
Last Updated	Jun 1, 2026

Stay Ahead of the Next One

Get instant alerts for shopperlabs shopper

Be the first to know when new medium vulnerabilities affecting shopperlabs shopper are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Affected Versions

shopperlabs / shopper

< 2.8.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/shopperlabs/shopper/security/advisories/GHSA-h4mp-g9c6-xwph github.com: https://github.com/shopperlabs/shopper/pull/511