PT-2026-44441 — Missing Authorization in Packagist Shopper/Framework

PT-2026-44441 · Packagist · Shopper/Framework

Published

2026-05-18

Updated

2026-05-18

CVSS v3.1

8.1

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Multiple Livewire components in the admin panel allowed an authenticated low-privilege user to mutate data without the required permission:

Order detail Filament actions (cancel, mark paid, mark complete, capture payment, archive, start processing) were callable with read orders only and did not require edit orders. capturePayment could trigger an actual PSP capture.
Order shipments table actions (mark delivered, edit tracking) were callable with browse orders only.
Sub-form Livewire components for products (Edit, Inventory, Seo, Shipping, Files) had no authorization on store(), so any authenticated panel user could mutate product data without edit products.
Settings/Team/Index had no mount() authorization at all — any authenticated user could create roles and delete other users.
Settings/Team/RolePermission gated its write actions on the read-only view users permission, allowing privilege escalation via the RBAC system itself.
PaymentMethods, Currencies, Carriers table toggles and per-record actions had no per-action permission check.
Customers/Create::store() re-passed a Hidden password form field into the create payload.

Several public Eloquent model properties on Livewire components were not #[Locked], allowing client-side ID tampering.

A stored XSS surface existed on the product barcode field, which is rendered through DNS1DFacade::getBarcodeHTML() with {!! !!}.

Fixed in v2.8.0. Upgrade via:

bash

composer require shopper/admin:^2.8 shopper/cart:^2.8 shopper/core:^2.8

shell

php artisan migrate

None. Upgrade to v2.8.0.

Fix

Missing Authorization

Improper Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

GHSA-F946-9QP6-VGCH

Shopper/Framework