CVE-2026-47740

Name of the Vulnerable Software and Affected Versions Shopper versions prior to 2.8.0

Description Authenticated low-privilege users can call multiple Filament actions on the admin Order detail and Order shipments table without the necessary permissions to mutate orders. Specifically, the actions cancel, mark paid, mark complete, capture payment, archive, and start processing are accessible with the read-only read orders permission instead of requiring edit orders. The capturePayment() function can trigger an actual Payment Service Provider (PSP) capture, resulting in real funds movement. Additionally, the mark delivered and edit tracking actions in the order shipments table are accessible with the read-only browse orders permission. This allows a user with read access to alter the lifecycle of any order and trigger payment captures.

Recommendations Update to version 2.8.0.