CVE-2026-47742
published 2026-05-29CVE-2026-47742: Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Sub-form Livewire components used in the product editor (Edit, Inventory, Seo, Shipping, Files)…
PriorityP340medium6.5CVSS 3.1
AVNACLPRLUINSUCNIHAN
EPSS
0.22%
12.5th percentile
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Sub-form Livewire components used in the product editor (Edit, Inventory, Seo, Shipping, Files) had no authorization on their store() method. Any authenticated panel user, regardless of role, could mutate any product's pricing, stock, SEO metadata, shipping dimensions, and attached media without holding edit_products. The affected components accepted the product ID as a public Livewire property without #[Locked], so an attacker could also target an arbitrary product by tampering with the wire payload from the client. This vulnerability is fixed in 2.8.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| shopper | framework | >= 0 < 2.8.0 | 2.8.0 |
| shopperlabs | shopper | < 2.8.0 | 2.8.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Shopper: Missing authorization on Product admin Livewire sub-form components
ghsa·2026-06-05
CVE-2026-47742 [MEDIUM] CWE-862 Shopper: Missing authorization on Product admin Livewire sub-form components
Shopper: Missing authorization on Product admin Livewire sub-form components
## Impact
Sub-form Livewire components used in the product editor (`Edit`, `Inventory`, `Seo`, `Shipping`, `Files`) had no authorization on their `store()` method. Any authenticated panel user, regardless of role, could mutate any product's pricing, stock, SEO metadata, shipping dimensions, and attached media without holding `edit_products`.
The affected components accepted the product ID as a public Livewire property without `#[Locked]`, so an attacker could also target an arbitrary product by tampering with the wire payload from the client.
## Patches
Fixed in `v2.8.0`. Each sub-form `store()` now authorizes against `edit_products` and the product binding is locked.
Upgrade via:
```bash
composer require s
VulDB
shopperlabs shopper up to 2.7.x Sub-form Livewire authorization
vuldb·2026-05-29·CVSS 6.5
CVE-2026-47742 [MEDIUM] shopperlabs shopper up to 2.7.x Sub-form Livewire authorization
A vulnerability marked as problematic has been reported in shopperlabs shopper up to 2.7.x. The affected element is an unknown function of the component Sub-form Livewire. Performing a manipulation results in missing authorization.
This vulnerability is cataloged as CVE-2026-47742. It is possible to initiate the attack remotely. There is no exploit available.
It is suggested to upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-29
Published