CVE-2026-47740: Shopper Admin Permission Bypass Enables Unauthorized Order Mutation and Payment Capture
Shopper is a headless e-commerce admin panel that manages orders and payments. Before version 2.8.0, the application had a critical permission bypass flaw: users with read-only access to orders could perform actions meant only for administrators with edit permissions. This included canceling orders, marking them as paid or complete, capturing payments from customer credit cards, and modifying shipment tracking. A low-privilege employee or attacker with basic read access could therefore manipulate any order's lifecycle and trigger real financial transactions without authorization.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
- Weaknesses (CWE)
- CWE-285, CWE-862
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Multiple Filament actions on the admin Order detail and Order shipments table were callable by an authenticated low-privilege user without the permission required to mutate orders. The order detail actions cancel, mark paid, mark complete, capture payment, archive, and start processing were callable with the read-only read_orders permission and did not require edit_orders. capturePayment could trigger an actual PSP capture (real funds movement). The order shipments table actions mark delivered and edit tracking were callable with the read-only browse_orders permission. A user with read access to orders could therefore alter the lifecycle of every order in the panel and trigger real-world payment captures. This vulnerability is fixed in 2.8.0.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from inadequate permission checks on Filament actions in the admin Order detail and Order shipments views. Specifically, actions such as cancel, markPaid, markComplete, capturePayment, archive, and startProcessing were guarded only by read_orders permission rather than the required edit_orders permission. Similarly, shipment actions (markDelivered, editTracking) checked only browse_orders instead of a more restrictive permission. The capturePayment action is particularly dangerous because it directly interfaces with payment service providers, allowing unauthenticated fund transfers to be initiated by unauthorized users. The flaw affects all versions prior to 2.8.0.
Business impact
This vulnerability directly threatens financial integrity and operational trust. An employee with minimal system access—or a compromised low-privilege account—could unilaterally modify order states, process refunds, charge customers without authorization, or disrupt fulfillment pipelines. The ability to trigger real payment captures means actual funds could be moved without proper authorization controls. Organizations relying on Shopper face potential revenue leakage, chargeback disputes, customer complaints, and audit findings related to segregation of duties and financial controls.
Affected systems
Shopper versions prior to 2.8.0 are affected. The vulnerability is present in all deployments of the headless e-commerce admin panel using versions before the fix. Organizations running Shopper should verify their current version immediately against the vendor's release notes.
Exploitability
Exploitation requires authentication (low-privilege user credentials) but no additional complexity. An attacker with a read-only account can directly invoke the vulnerable actions over the network without user interaction. The CVSS score of 8.1 (HIGH) reflects the combination of network accessibility, low privilege requirement, and high impact on both confidentiality and integrity. No exploit code or active weaponization is required beyond standard API calls or UI manipulation.
Remediation
Upgrade Shopper to version 2.8.0 or later immediately. This version implements proper permission enforcement, restricting order mutation actions to users holding edit_orders permission and shipment actions to users with appropriate administrative privileges. After patching, audit recent order modifications, payment captures, and shipment changes performed by read-only accounts to detect unauthorized activity.
Patch guidance
Apply Shopper 2.8.0 as a critical security update. Verify the update through official vendor release channels and changelogs before deployment. If version 2.8.0 is not yet available in your deployment environment, consult the vendor's security advisory for interim mitigations. Test the patch in a staging environment to ensure no business process disruption before rolling to production.
Detection guidance
Search your application logs for order mutation actions (cancel, markPaid, markComplete, capturePayment, archive, startProcessing, markDelivered, editTracking) performed by users holding only read_orders or browse_orders permissions. Cross-reference these actions with actual permission assignments in your access control system. Inspect payment capture logs for transactions initiated by non-administrative accounts. Monitor for unusual patterns of order state changes from low-privilege sessions. Implement real-time alerting on permission mismatches between user role and action severity.
Why prioritize this
This is a high-priority vulnerability requiring immediate remediation. The combination of financial impact (real payment captures), ease of exploitation (low-privilege authentication only), and broad applicability (all Shopper deployments pre-2.8.0) makes it critical. The vulnerability violates fundamental access control principles and creates direct exposure to revenue leakage and fraud. Any organization using Shopper should treat this as an emergency patch.
Risk score, explained
The CVSS 3.1 score of 8.1 reflects: network-based attack vector (AV:N), low attack complexity (AC:L), low privilege requirement (PR:L), no user interaction needed (UI:N), and high impact on both confidentiality and integrity (C:H/I:H). The absence of availability impact (A:N) prevents a critical rating, but the ability to read and modify sensitive order data and trigger unauthorized financial transactions justifies the HIGH severity classification.
Frequently asked questions
Can an attacker without any system access exploit this?
No. The vulnerability requires authentication as a low-privilege user. However, this is a low bar—any user with basic read access to orders (e.g., a customer service representative or intern) could abuse it. Compromised credentials at this privilege level pose significant risk.
Does this affect only payment capture, or can order data be changed too?
Both. While capturePayment is the most dangerous because it moves real funds, attackers can also cancel orders, mark them complete, modify tracking information, and archive records. This enables fraud, fulfillment disruption, and covering tracks of unauthorized activity.
What should we do if we suspect unauthorized order changes?
Immediately review order activity logs for modifications by read-only accounts. Reconcile payment captures against authorized transactions. Contact your payment processor to dispute unauthorized charges if necessary. Upgrade to 2.8.0, then audit all order state changes from the vulnerability window to detect patterns of abuse.
Is there a workaround if we cannot patch immediately?
Verify with the vendor's security advisory for interim recommendations. Consider restricting read_orders and browse_orders permissions to only users who absolutely require them. Implement application-level logging and alerting on suspicious order mutations. However, patching remains the only reliable fix.
This analysis is based on public vulnerability data current as of the publication date. Verify all version numbers, affected product details, and patch availability against official vendor advisories and security bulletins. Organizations should conduct their own risk assessment based on their deployment specifics, data sensitivity, and regulatory obligations. Testing patches in non-production environments before deployment is strongly recommended. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2018-25391HIGHHaPe PKH 1.1 Authorization Bypass – Unauthorized Record Deletion Vulnerability
- CVE-2025-26418HIGHAndroid CarDevicePolicyService Privilege Escalation (CVSS 7.8)
- CVE-2025-53345HIGHThimPress Thim Core Missing Authorization Leads to Code Execution
- CVE-2026-0072HIGHAndroid XR InputMethodManagerService Privilege Escalation (CVSS 7.8)
- CVE-2026-10236HIGHSourceCodester Water Billing System Improper Authorization Vulnerability (CVSS 7.3)
- CVE-2026-10737HIGHWordPress SP Project & Document Manager Unauthenticated File Access Vulnerability
- CVE-2026-31942HIGHLibreChat IDOR Vulnerability Allows Unauthorized API Key Manipulation
- CVE-2026-32905HIGHOpenClaw Device-Pair Authorization Bypass (CVSS 8.3)