HIGH 8.1

CVE-2026-47740: Shopper Admin Permission Bypass Enables Unauthorized Order Mutation and Payment Capture

Shopper is a headless e-commerce admin panel that manages orders and payments. Before version 2.8.0, the application had a critical permission bypass flaw: users with read-only access to orders could perform actions meant only for administrators with edit permissions. This included canceling orders, marking them as paid or complete, capturing payments from customer credit cards, and modifying shipment tracking. A low-privilege employee or attacker with basic read access could therefore manipulate any order's lifecycle and trigger real financial transactions without authorization.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Weaknesses (CWE)
CWE-285, CWE-862
Affected products
0 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Multiple Filament actions on the admin Order detail and Order shipments table were callable by an authenticated low-privilege user without the permission required to mutate orders. The order detail actions cancel, mark paid, mark complete, capture payment, archive, and start processing were callable with the read-only read_orders permission and did not require edit_orders. capturePayment could trigger an actual PSP capture (real funds movement). The order shipments table actions mark delivered and edit tracking were callable with the read-only browse_orders permission. A user with read access to orders could therefore alter the lifecycle of every order in the panel and trigger real-world payment captures. This vulnerability is fixed in 2.8.0.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from inadequate permission checks on Filament actions in the admin Order detail and Order shipments views. Specifically, actions such as cancel, markPaid, markComplete, capturePayment, archive, and startProcessing were guarded only by read_orders permission rather than the required edit_orders permission. Similarly, shipment actions (markDelivered, editTracking) checked only browse_orders instead of a more restrictive permission. The capturePayment action is particularly dangerous because it directly interfaces with payment service providers, allowing unauthenticated fund transfers to be initiated by unauthorized users. The flaw affects all versions prior to 2.8.0.

Business impact

This vulnerability directly threatens financial integrity and operational trust. An employee with minimal system access—or a compromised low-privilege account—could unilaterally modify order states, process refunds, charge customers without authorization, or disrupt fulfillment pipelines. The ability to trigger real payment captures means actual funds could be moved without proper authorization controls. Organizations relying on Shopper face potential revenue leakage, chargeback disputes, customer complaints, and audit findings related to segregation of duties and financial controls.

Affected systems

Shopper versions prior to 2.8.0 are affected. The vulnerability is present in all deployments of the headless e-commerce admin panel using versions before the fix. Organizations running Shopper should verify their current version immediately against the vendor's release notes.

Exploitability

Exploitation requires authentication (low-privilege user credentials) but no additional complexity. An attacker with a read-only account can directly invoke the vulnerable actions over the network without user interaction. The CVSS score of 8.1 (HIGH) reflects the combination of network accessibility, low privilege requirement, and high impact on both confidentiality and integrity. No exploit code or active weaponization is required beyond standard API calls or UI manipulation.

Remediation

Upgrade Shopper to version 2.8.0 or later immediately. This version implements proper permission enforcement, restricting order mutation actions to users holding edit_orders permission and shipment actions to users with appropriate administrative privileges. After patching, audit recent order modifications, payment captures, and shipment changes performed by read-only accounts to detect unauthorized activity.

Patch guidance

Apply Shopper 2.8.0 as a critical security update. Verify the update through official vendor release channels and changelogs before deployment. If version 2.8.0 is not yet available in your deployment environment, consult the vendor's security advisory for interim mitigations. Test the patch in a staging environment to ensure no business process disruption before rolling to production.

Detection guidance

Search your application logs for order mutation actions (cancel, markPaid, markComplete, capturePayment, archive, startProcessing, markDelivered, editTracking) performed by users holding only read_orders or browse_orders permissions. Cross-reference these actions with actual permission assignments in your access control system. Inspect payment capture logs for transactions initiated by non-administrative accounts. Monitor for unusual patterns of order state changes from low-privilege sessions. Implement real-time alerting on permission mismatches between user role and action severity.

Why prioritize this

This is a high-priority vulnerability requiring immediate remediation. The combination of financial impact (real payment captures), ease of exploitation (low-privilege authentication only), and broad applicability (all Shopper deployments pre-2.8.0) makes it critical. The vulnerability violates fundamental access control principles and creates direct exposure to revenue leakage and fraud. Any organization using Shopper should treat this as an emergency patch.

Risk score, explained

The CVSS 3.1 score of 8.1 reflects: network-based attack vector (AV:N), low attack complexity (AC:L), low privilege requirement (PR:L), no user interaction needed (UI:N), and high impact on both confidentiality and integrity (C:H/I:H). The absence of availability impact (A:N) prevents a critical rating, but the ability to read and modify sensitive order data and trigger unauthorized financial transactions justifies the HIGH severity classification.

Frequently asked questions

Can an attacker without any system access exploit this?

No. The vulnerability requires authentication as a low-privilege user. However, this is a low bar—any user with basic read access to orders (e.g., a customer service representative or intern) could abuse it. Compromised credentials at this privilege level pose significant risk.

Does this affect only payment capture, or can order data be changed too?

Both. While capturePayment is the most dangerous because it moves real funds, attackers can also cancel orders, mark them complete, modify tracking information, and archive records. This enables fraud, fulfillment disruption, and covering tracks of unauthorized activity.

What should we do if we suspect unauthorized order changes?

Immediately review order activity logs for modifications by read-only accounts. Reconcile payment captures against authorized transactions. Contact your payment processor to dispute unauthorized charges if necessary. Upgrade to 2.8.0, then audit all order state changes from the vulnerability window to detect patterns of abuse.

Is there a workaround if we cannot patch immediately?

Verify with the vendor's security advisory for interim recommendations. Consider restricting read_orders and browse_orders permissions to only users who absolutely require them. Implement application-level logging and alerting on suspicious order mutations. However, patching remains the only reliable fix.

This analysis is based on public vulnerability data current as of the publication date. Verify all version numbers, affected product details, and patch availability against official vendor advisories and security bulletins. Organizations should conduct their own risk assessment based on their deployment specifics, data sensitivity, and regulatory obligations. Testing patches in non-production environments before deployment is strongly recommended. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).