CVE-2026-47745
published 2026-05-29CVE-2026-47745: Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, the admin tables for PaymentMethods, Currencies and Carriers exposed inline toggles and…
PriorityP337medium6.5CVSS 3.1
AVNACLPRLUINSUCNIHAN
EPSS
0.22%
12.5th percentile
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, the admin tables for PaymentMethods, Currencies and Carriers exposed inline toggles and per-record actions (enable, disable, edit, delete) that were rendered for any authenticated panel user without checking the corresponding per-action permission. A low-privilege user could disable every payment method on the store, disable or alter the default currency, or disable carriers. The impact is a full denial of checkout and pricing integrity loss, reachable by any authenticated user. This vulnerability is fixed in 2.8.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| shopper | framework | >= 0 < 2.8.0 | 2.8.0 |
| shopperlabs | shopper | < 2.8.0 | 2.8.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Shopper: Missing per-action authorization on PaymentMethods, Currencies and Carriers admin tables
ghsa·2026-06-05
CVE-2026-47745 [MEDIUM] CWE-862 Shopper: Missing per-action authorization on PaymentMethods, Currencies and Carriers admin tables
Shopper: Missing per-action authorization on PaymentMethods, Currencies and Carriers admin tables
## Impact
The admin tables for `PaymentMethods`, `Currencies` and `Carriers` exposed inline toggles and per-record actions (enable, disable, edit, delete) that were rendered for any authenticated panel user without checking the corresponding per-action permission. A low-privilege user could:
- Disable every payment method on the store, blocking checkout.
- Disable or alter the default currency, changing displayed prices and the exchange rate basis.
- Disable carriers, breaking shipping rate computation at checkout.
The impact is a full denial of checkout and pricing integrity loss, reachable by any authenticated user.
## Patches
Fixed in `v2.8.0`. Each toggle and per-record action now re
VulDB
shopperlabs shopper up to 2.7.x PaymentMethods authorization
vuldb·2026-05-29·CVSS 6.5
CVE-2026-47745 [MEDIUM] shopperlabs shopper up to 2.7.x PaymentMethods authorization
A vulnerability identified as problematic has been detected in shopperlabs shopper up to 2.7.x. This issue affects some unknown processing of the component PaymentMethods. This manipulation causes missing authorization.
This vulnerability is tracked as CVE-2026-47745. The attack is possible to be carried out remotely. No exploit exists.
You should upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-29
Published