CVE-2026-47742: CWE-862: Missing Authorization in shopperlabs shopper
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Sub-form Livewire components used in the product editor (Edit, Inventory, Seo, Shipping, Files) had no authorization on their store() method. Any authenticated panel user, regardless of role, could mutate any product's pricing, stock, SEO metadata, shipping dimensions, and attached media without holding edit_products. The affected components accepted the product ID as a public Livewire property without #[Locked], so an attacker could also target an arbitrary product by tampering with the wire payload from the client. This vulnerability is fixed in 2.8.0.
AI Analysis
Technical Summary
Shopperlabs shopper before version 2.8.0 contains a CWE-862 missing authorization vulnerability in its product editor's Sub-form Livewire components (Edit, Inventory, Seo, Shipping, Files). The store() method of these components did not enforce authorization, allowing any authenticated user to mutate sensitive product attributes without the necessary permissions. The product ID was exposed as a public property without locking, enabling attackers to manipulate the wire payload to affect arbitrary products. This vulnerability is addressed in version 2.8.0.
Potential Impact
An authenticated user with any role in the admin panel could modify critical product information such as pricing, stock levels, SEO metadata, shipping dimensions, and attached media without proper authorization. This could lead to unauthorized changes in product data integrity and business impact related to product listings. There is no indication of confidentiality or availability impact. No known exploits in the wild have been reported.
Mitigation Recommendations
Upgrade shopperlabs shopper to version 2.8.0 or later, where this authorization issue has been fixed. Since no official patch link or vendor advisory is provided, confirm the upgrade from the vendor's official release notes or repository. Until upgraded, restrict authenticated user roles to trusted personnel only, as all authenticated users can exploit this vulnerability.
CVE-2026-47742: CWE-862: Missing Authorization in shopperlabs shopper
Description
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Sub-form Livewire components used in the product editor (Edit, Inventory, Seo, Shipping, Files) had no authorization on their store() method. Any authenticated panel user, regardless of role, could mutate any product's pricing, stock, SEO metadata, shipping dimensions, and attached media without holding edit_products. The affected components accepted the product ID as a public Livewire property without #[Locked], so an attacker could also target an arbitrary product by tampering with the wire payload from the client. This vulnerability is fixed in 2.8.0.
CVSS v3.1
Score 6.5medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Shopperlabs shopper before version 2.8.0 contains a CWE-862 missing authorization vulnerability in its product editor's Sub-form Livewire components (Edit, Inventory, Seo, Shipping, Files). The store() method of these components did not enforce authorization, allowing any authenticated user to mutate sensitive product attributes without the necessary permissions. The product ID was exposed as a public property without locking, enabling attackers to manipulate the wire payload to affect arbitrary products. This vulnerability is addressed in version 2.8.0.
Potential Impact
An authenticated user with any role in the admin panel could modify critical product information such as pricing, stock levels, SEO metadata, shipping dimensions, and attached media without proper authorization. This could lead to unauthorized changes in product data integrity and business impact related to product listings. There is no indication of confidentiality or availability impact. No known exploits in the wild have been reported.
Mitigation Recommendations
Upgrade shopperlabs shopper to version 2.8.0 or later, where this authorization issue has been fixed. Since no official patch link or vendor advisory is provided, confirm the upgrade from the vendor's official release notes or repository. Until upgraded, restrict authenticated user roles to trusted personnel only, as all authenticated users can exploit this vulnerability.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-19T22:16:39.504Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a19dc07e29bf47b50ff85e0
Added to database: 5/29/2026, 6:33:43 PM
Last enriched: 5/29/2026, 6:50:43 PM
Last updated: 5/31/2026, 4:53:43 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.