CVE-2026-47744

Name of the Vulnerable Software and Affected Versions Shopper versions prior to 2.8.0

Description Two authorization defects in the team settings allow an authenticated user to compromise the Role-Based Access Control (RBAC) system. The endpoint "Settings/Team/Index" lacks mount() authorization, enabling any authenticated user to access the page and utilize public actions to create new roles or delete other users, including administrators. Additionally, the endpoint "Settings/Team/RolePermission" restricts write actions using the read-only view users permission. Consequently, any user with view users can grant arbitrary permissions, such as manage users and edit orders, to themselves or others, escalating their privileges to full panel administrator. Together, these flaws allow a low-privilege user to gain administrator rights and remove legitimate administrators.

Recommendations Update to version 2.8.0.