GHSA-H4MP-G9C6-XWPH

Vulnerability from github – Published: 2026-06-05 20:33 – Updated: 2026-06-05 20:33
VLAI
Summary
Shopper: Missing authorization on Product admin Livewire sub-form components
Details

Impact

Sub-form Livewire components used in the product editor (Edit, Inventory, Seo, Shipping, Files) had no authorization on their store() method. Any authenticated panel user, regardless of role, could mutate any product's pricing, stock, SEO metadata, shipping dimensions, and attached media without holding edit_products.

The affected components accepted the product ID as a public Livewire property without #[Locked], so an attacker could also target an arbitrary product by tampering with the wire payload from the client.

Patches

Fixed in v2.8.0. Each sub-form store() now authorizes against edit_products and the product binding is locked.

Upgrade via:

composer require shopper/admin:^2.8

Workarounds

None. Upgrade to v2.8.0.

References

  • Pull request: https://github.com/shopperlabs/shopper/pull/511
  • CWE-862 Missing Authorization
Severity
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "shopper/framework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47742"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-05T20:33:47Z",
    "nvd_published_at": "2026-05-29T19:16:25Z",
    "severity": "MODERATE"
  },
  "details": "## Impact\n\nSub-form Livewire components used in the product editor (`Edit`, `Inventory`, `Seo`, `Shipping`, `Files`) had no authorization on their `store()` method. Any authenticated panel user, regardless of role, could mutate any product\u0027s pricing, stock, SEO metadata, shipping dimensions, and attached media without holding `edit_products`.\n\nThe affected components accepted the product ID as a public Livewire property without `#[Locked]`, so an attacker could also target an arbitrary product by tampering with the wire payload from the client.\n\n## Patches\n\nFixed in `v2.8.0`. Each sub-form `store()` now authorizes against `edit_products` and the product binding is locked.\n\nUpgrade via:\n\n```bash\ncomposer require shopper/admin:^2.8\n```\n\n## Workarounds\n\nNone. Upgrade to `v2.8.0`.\n\n## References\n\n- Pull request: https://github.com/shopperlabs/shopper/pull/511\n- CWE-862 Missing Authorization",
  "id": "GHSA-h4mp-g9c6-xwph",
  "modified": "2026-06-05T20:33:47Z",
  "published": "2026-06-05T20:33:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/shopperlabs/shopper/security/advisories/GHSA-h4mp-g9c6-xwph"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47742"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shopperlabs/shopper/pull/511"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/shopperlabs/shopper"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Shopper: Missing authorization on Product admin Livewire sub-form components"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.