GHSA-F946-9QP6-VGCH

Vulnerability from github – Published: 2026-05-18 16:34 – Updated: 2026-05-18 16:34
VLAI
Summary
shopper/framework: Authorization bypass in multiple Livewire admin components
Details

Impact

Multiple Livewire components in the admin panel allowed an authenticated low-privilege user to mutate data without the required permission:

  • Order detail Filament actions (cancel, mark paid, mark complete, capture payment, archive, start processing) were callable with read_orders only and did not require edit_orders. capturePayment could trigger an actual PSP capture.
  • Order shipments table actions (mark delivered, edit tracking) were callable with browse_orders only.
  • Sub-form Livewire components for products (Edit, Inventory, Seo, Shipping, Files) had no authorization on store(), so any authenticated panel user could mutate product data without edit_products.
  • Settings/Team/Index had no mount() authorization at all — any authenticated user could create roles and delete other users.
  • Settings/Team/RolePermission gated its write actions on the read-only view_users permission, allowing privilege escalation via the RBAC system itself.
  • PaymentMethods, Currencies, Carriers table toggles and per-record actions had no per-action permission check.
  • Customers/Create::store() re-passed a Hidden _password form field into the create payload.

Several public Eloquent model properties on Livewire components were not #[Locked], allowing client-side ID tampering.

A stored XSS surface existed on the product barcode field, which is rendered through DNS1DFacade::getBarcodeHTML() with {!! !!}.

Patches

Fixed in v2.8.0. Upgrade via:

composer require shopper/admin:^2.8 shopper/cart:^2.8 shopper/core:^2.8

php artisan migrate

Workarounds

None. Upgrade to v2.8.0.

Resources

  • Pull request: https://github.com/shopperlabs/shopper/pull/511
  • CWE-862 Missing Authorization
  • CWE-285 Improper Authorization
Severity
8.1 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "shopper/framework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-18T16:34:23Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Impact\n\nMultiple Livewire components in the admin panel allowed an authenticated low-privilege user to mutate data without the required permission:\n\n- Order detail Filament actions (cancel, mark paid, mark complete, capture payment, archive, start processing) were callable with `read_orders` only and did not require `edit_orders`. `capturePayment` could trigger an actual PSP capture.\n- Order shipments table actions (mark delivered, edit tracking) were callable with `browse_orders` only.\n- Sub-form Livewire components for products (Edit, Inventory, Seo, Shipping, Files) had no authorization on `store()`, so any authenticated panel user could mutate product data without `edit_products`.\n- `Settings/Team/Index` had no `mount()` authorization at all \u2014 any authenticated user could create roles and delete other users.\n- `Settings/Team/RolePermission` gated its write actions on the read-only `view_users` permission, allowing privilege escalation via the RBAC system itself.\n- `PaymentMethods`, `Currencies`, `Carriers` table toggles and per-record actions had no per-action permission check.\n- `Customers/Create::store()` re-passed a Hidden `_password` form field into the create payload.\n\nSeveral public Eloquent model properties on Livewire components were not `#[Locked]`, allowing client-side ID tampering.\n\nA stored XSS surface existed on the product barcode field, which is rendered through `DNS1DFacade::getBarcodeHTML()` with `{!! !!}`.\n\n## Patches\n\nFixed in `v2.8.0`. Upgrade via:\n\n```bash\ncomposer require shopper/admin:^2.8 shopper/cart:^2.8 shopper/core:^2.8\n```\n\n```shell\nphp artisan migrate\n```\n\n## Workarounds\n\nNone. Upgrade to `v2.8.0`.\n\n## Resources\n\n- Pull request: https://github.com/shopperlabs/shopper/pull/511\n- CWE-862 Missing Authorization\n- CWE-285 Improper Authorization",
  "id": "GHSA-f946-9qp6-vgch",
  "modified": "2026-05-18T16:34:23Z",
  "published": "2026-05-18T16:34:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/shopperlabs/shopper/security/advisories/GHSA-f946-9qp6-vgch"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shopperlabs/shopper/issues/510"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shopperlabs/shopper/pull/511"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shopperlabs/shopper/commit/fcd0c5920588702df5b874f432b1042abd77a50b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/shopperlabs/shopper"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shopperlabs/shopper/releases/tag/v2.8.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "shopper/framework: Authorization bypass in multiple Livewire admin components"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.