CVE-2026-47742

Name of the Vulnerable Software and Affected Versions Shopper versions prior to 2.8.0

Description Sub-form Livewire components within the product editor—specifically those handling Edit, Inventory, Seo, Shipping, and Files—lack authorization on their store() method. This allows any authenticated panel user, regardless of their assigned role, to modify product pricing, stock, SEO metadata, shipping dimensions, and attached media without possessing the edit products permission. Additionally, these components accept the product ID as a public Livewire property that is not protected by the #[Locked] attribute, enabling an attacker to target arbitrary products by manipulating the wire payload from the client side.

Recommendations Update to version 2.8.0.