Executive Summary

CVE-2026-47745 is a vulnerability in the Shopper Headless e-commerce Admin Panel affecting versions prior to 2.8.0. The issue is that the admin tables for PaymentMethods, Currencies, and Carriers allowed any authenticated user to perform actions such as enabling, disabling, editing, or deleting records without proper per-action permission checks.

This means that low-privilege users could manipulate critical settings like disabling all payment methods, changing the default currency, or disabling carriers, which should normally require higher privileges.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows any authenticated user to disable payment methods, alter default currency, or disable carriers without proper authorization, leading to denial of checkout and pricing integrity loss.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the integrity and availability issues caused by this vulnerability could indirectly impact compliance by disrupting business operations and potentially affecting financial transaction integrity.

However, there is no direct information provided about how this vulnerability affects compliance with specific regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can lead to a full denial of checkout functionality and loss of pricing integrity on the e-commerce store.

• A low-privilege user could disable every payment method, effectively blocking all customer checkouts.
• They could alter the default currency, causing pricing disruptions.
• They could disable carriers, breaking shipping calculations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves missing per-action authorization checks in the Shopper admin panel, allowing any authenticated user to perform actions like enabling, disabling, editing, or deleting PaymentMethods, Currencies, and Carriers without proper permissions.

Detection would involve verifying if low-privilege authenticated users can perform these actions on the admin tables without proper authorization.

Since this is an application-level authorization issue, network-level detection commands are not directly applicable.

A practical approach is to test the application by logging in as a low-privilege user and attempting to perform enable, disable, edit, or delete actions on PaymentMethods, Currencies, and Carriers in the admin panel.

No specific command-line commands are provided in the available resources for automated detection.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade the Shopper e-commerce framework to version 2.8.0 or later, where this vulnerability is fixed.

The upgrade can be performed using the command: `composer require shopper/admin:^2.8`.

Until the upgrade is applied, restrict access to the admin panel to trusted users only and review user permissions to minimize the risk.

Useful 0 Not Useful 0