CVE-2026-47742
Unauthorized Product Data Modification in Shopper Admin Panel
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| shopper | headless_e-commerce_admin_panel | to 2.8.0 (exc) |
| shopperlabs | shopper | 2.8.0 |
| shopperlabs | framework | to 2.8.0 (exc) |
| shopperlabs | shopper | to 2.8.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-47742 is a missing authorization vulnerability in the Shopper e-commerce framework versions prior to 2.8.0. Certain Livewire sub-form components used in the product editor (Edit, Inventory, Seo, Shipping, Files) did not have proper authorization checks on their store() methods.
This flaw allowed any authenticated panel user, regardless of their role, to modify product details such as pricing, stock levels, SEO metadata, shipping dimensions, and attached media without needing the edit_products permission.
Additionally, these components accepted product IDs as public Livewire properties without locking them, enabling attackers to manipulate the wire payload from the client side to target arbitrary products.
The vulnerability was fixed in version 2.8.0 by adding authorization checks and locking product bindings.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows any authenticated panel user to modify sensitive product information such as pricing, stock levels, SEO metadata, shipping dimensions, and attached media without proper authorization.
While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, unauthorized modification of product data could lead to violations of data integrity and access control requirements commonly mandated by such regulations.
Organizations relying on Shopper for e-commerce administration should consider this vulnerability a risk to maintaining proper authorization controls, which are essential for compliance with many security and privacy standards.
How can this vulnerability impact me? :
This vulnerability can allow any authenticated user on the admin panel to alter critical product information without proper permissions.
- Unauthorized modification of product pricing could lead to financial loss or manipulation.
- Stock levels could be tampered with, causing inventory inaccuracies.
- SEO metadata changes might affect product visibility and search rankings.
- Shipping dimensions could be altered, potentially disrupting logistics.
- Attached media could be changed, impacting product presentation.
Overall, this could lead to data integrity issues, loss of trust, and operational disruptions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves missing authorization checks in certain Livewire sub-form components of the Shopper e-commerce Admin Panel prior to version 2.8.0. Detection would involve verifying the version of the Shopper framework in use and inspecting if unauthorized users can modify product details without the edit_products permission.
Since the vulnerability is related to unauthorized access to the store() method of Livewire components, one way to detect exploitation attempts is to monitor for unusual or unauthorized API calls or requests that attempt to modify product data (pricing, stock, SEO metadata, shipping dimensions, attached media) from authenticated users who should not have such permissions.
Specific commands are not provided in the resources, but general approaches include:
- Check the installed version of the Shopper framework using composer: `composer show shopper/admin`
- Review web server or application logs for suspicious POST requests to Livewire endpoints related to product editing.
- Use network monitoring tools to detect unauthorized modification attempts by authenticated users lacking proper roles.
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to upgrade the Shopper e-commerce Admin Panel to version 2.8.0 or later, where the vulnerability has been fixed by adding proper authorization checks and locking product bindings.
This can be done by running the following composer command:
- `composer require shopper/admin:^2.8`
Until the upgrade is applied, restrict access to the admin panel to trusted users only and monitor for unauthorized product modification attempts.