PatchSiren cyber security CVE debrief
CVE-2026-47742 shopperlabs CVE debrief
CVE-2026-47742 is a medium-severity authorization bypass in Shopper, a Headless e-commerce Admin Panel. Prior to version 2.8.0, Sub-form Livewire components used in the product editor (Edit, Inventory, Seo, Shipping, Files) lacked authorization checks on their store() method. Any authenticated panel user, regardless of role, could modify any product's pricing, stock, SEO metadata, shipping dimensions, and attached media without holding the edit_products permission. The affected components accepted the product ID as a public Livewire property without the #[Locked] attribute, enabling attackers to target arbitrary products by tampering with the wire payload from the client. The vulnerability was fixed in version 2.8.0.
- Vendor
- shopperlabs
- Product
- shopper
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Organizations running Shopper e-commerce Admin Panel versions prior to 2.8.0, particularly those with multi-user admin environments where role separation is critical. Security teams responsible for Laravel/Livewire applications should also review for similar patterns.
Technical summary
The vulnerability exists in Shopper's Sub-form Livewire components (Edit, Inventory, Seo, Shipping, Files) used within the product editor. These components expose a store() method without authorization checks, allowing any authenticated user to invoke it. The product ID is passed as a public Livewire property without the #[Locked] attribute, enabling client-side manipulation of the wire payload to target arbitrary products. This permits unauthorized modification of pricing, inventory, SEO metadata, shipping dimensions, and media attachments. The fix in version 2.8.0 adds proper authorization controls and protects sensitive properties.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Shopper to version 2.8.0 or later to remediate this vulnerability
- Review and audit Livewire components for proper authorization checks on all state-mutating methods
- Apply #[Locked] attribute to sensitive public properties in Livewire components to prevent client-side tampering
- Implement role-based access control (RBAC) verification before allowing product data modifications
- Monitor access logs for unusual product modification activity by users without edit_products permissions
- Conduct security review of custom Livewire components for similar authorization gaps
Evidence notes
The vulnerability description is sourced from the official CVE record and NVD entry. The affected product is Shopper, a Headless e-commerce Admin Panel. The vulnerability affects versions prior to 2.8.0. The root cause is missing authorization on Livewire component store() methods and lack of #[Locked] protection on public product ID properties. The CVSS 3.1 vector is AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N, scoring 6.5 (MEDIUM). The weakness is classified as CWE-862 (Missing Authorization).
Official resources
The CVE was published on 2026-05-29T19:16:25.900Z and modified on 2026-05-29T20:17:38.110Z.