Baradika

**Name of the Vulnerable Software and Affected Versions** Shopper versions prior to 2.8.0 **Description** Sub-form Livewire components within the product editor—specifically those handling Edit, Inventory, Seo, Shipping, and Files—lack authorization on their `store()` method. This allows any authenticated panel user, regardless of their assigned role, to modify product pricing, stock, SEO metadata, shipping dimensions, and attached media without possessing the `edit products` permission. Additionally, these components accept the product ID as a public Livewire property that is not protected by the `#[Locked]` attribute, enabling an attacker to target arbitrary products by manipulating the wire payload from the client side. **Recommendations** Update to version 2.8.0.

**Name of the Vulnerable Software and Affected Versions** Shopper versions prior to 2.8.0 **Description** Two authorization defects in the team settings allow an authenticated user to compromise the Role-Based Access Control (RBAC) system. The endpoint "Settings/Team/Index" lacks `mount()` authorization, enabling any authenticated user to access the page and utilize public actions to create new roles or delete other users, including administrators. Additionally, the endpoint "Settings/Team/RolePermission" restricts write actions using the read-only `view users` permission. Consequently, any user with `view users` can grant arbitrary permissions, such as `manage users` and `edit orders`, to themselves or others, escalating their privileges to full panel administrator. Together, these flaws allow a low-privilege user to gain administrator rights and remove legitimate administrators. **Recommendations** Update to version 2.8.0.

**Name of the Vulnerable Software and Affected Versions** Shopper versions prior to 2.8.0 **Description** In the admin tables for PaymentMethods, Currencies, and Carriers, inline toggles and per-record actions such as enable, disable, edit, and delete are rendered for any authenticated panel user without verifying the required per-action permissions. This allows a low-privilege user to disable all payment methods, alter or disable the default currency, or disable carriers, resulting in a complete denial of the checkout process and loss of pricing integrity. **Recommendations** Update to version 2.8.0.

**Name of the Vulnerable Software and Affected Versions** Shopper versions prior to 2.8.0 **Description** Authenticated low-privilege users can call multiple Filament actions on the admin Order detail and Order shipments table without the necessary permissions to mutate orders. Specifically, the actions cancel, mark paid, mark complete, capture payment, archive, and start processing are accessible with the read-only `read orders` permission instead of requiring `edit orders`. The `capturePayment()` function can trigger an actual Payment Service Provider (PSP) capture, resulting in real funds movement. Additionally, the mark delivered and edit tracking actions in the order shipments table are accessible with the read-only `browse orders` permission. This allows a user with read access to alter the lifecycle of any order and trigger payment captures. **Recommendations** Update to version 2.8.0.

**Name of the Vulnerable Software and Affected Versions** Shopper versions prior to 2.8.0 **Description** A race condition exists in the `CreateOrderFromCartAction::execute()` function. The system creates an order row before verifying and incrementing the `total use` counter of a discount. Under high concurrent checkout pressure, such as flash sales or viral coupons, the global `usage limit` can be exceeded. This allows orders to be committed with discounts fully applied to the `price amount` even after the counter reaches the `usage limit`, without notifying the merchant of the over-redemption. **Recommendations** Update to version 2.8.0.