CVE-2026-47745: Shopper Admin Authorization Bypass Allows Payment & Currency Tampering
Shopper, a headless e-commerce admin panel used to manage online stores, contains a permission-checking flaw in versions before 2.8.0. Admin users with low-level access can manipulate critical payment and fulfillment settings—such as disabling all payment methods, changing the default currency, or removing shipping carriers—even though they shouldn't have permission to do so. Any employee or contractor with admin panel access, regardless of their intended role, can trigger a complete checkout blockade or corrupt pricing data. The vendor has resolved this in version 2.8.0.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
- Weaknesses (CWE)
- CWE-862
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, the admin tables for PaymentMethods, Currencies and Carriers exposed inline toggles and per-record actions (enable, disable, edit, delete) that were rendered for any authenticated panel user without checking the corresponding per-action permission. A low-privilege user could disable every payment method on the store, disable or alter the default currency, or disable carriers. The impact is a full denial of checkout and pricing integrity loss, reachable by any authenticated user. This vulnerability is fixed in 2.8.0.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-47745 is a privilege escalation vulnerability rooted in missing authorization checks (CWE-862) in Shopper's admin interface. The PaymentMethods, Currencies, and Carriers admin tables render inline action controls (enable, disable, edit, delete toggles) for all authenticated users without validating whether the requesting user holds the necessary per-action permissions. An attacker with valid admin credentials but restricted privileges can issue state-changing requests directly against these resources. Since the server does not enforce role-based access control at the action level, the attacker's requests succeed despite lacking authorization. The vector is network-accessible, requires existing credentials, and requires no user interaction (CVSS 3.1 score 6.5, MEDIUM).
Business impact
An insider or account-compromised admin user can render the e-commerce store non-functional by disabling payment gateways, breaking the checkout flow entirely. They may also alter the store's default currency setting, leading to pricing inconsistencies and potential financial reconciliation failures. Disabling carriers disrupts fulfillment logic. The cumulative effect is operational paralysis that directly blocks revenue and damages customer trust. Unlike data theft, this is purely destructive and readily noticeable, but no public exploit or active in-the-wild attacks are currently tracked.
Affected systems
Shopper versions prior to 2.8.0 are vulnerable. The admin panel of any Shopper installation running an affected version exposes the flawed controls to all authenticated users, regardless of their intended role or permissions model. Verify your Shopper deployment version in the admin settings or package manifest.
Exploitability
This vulnerability requires valid admin panel credentials; it cannot be exploited by unauthenticated attackers. However, it is trivial to exploit once an attacker gains any level of admin access (e.g., a contractor account, a former employee's lingering credentials, or a phished admin). No special tools or advanced techniques are needed—a simple browser interaction with the UI or a direct HTTP request to the action endpoint will succeed. The barrier to exploitation is credential compromise or insider threat, not technical sophistication.
Remediation
Upgrade Shopper to version 2.8.0 or later. This release implements proper authorization checks before rendering and processing inline admin actions. Perform the upgrade during a maintenance window to ensure a clean restart of the admin panel service. After upgrade, verify that low-privilege test accounts can no longer toggle payment methods, currencies, or carriers via the UI.
Patch guidance
Update Shopper to 2.8.0 or later. Consult the vendor's release notes and changelog for any breaking changes or database migration steps required by the upgrade. Validate the upgrade in a staging environment before deploying to production. If your organization has pinned Shopper to a specific version, remove the pin constraint and re-run your dependency installer (e.g., npm, pip, or equivalent). Verify admin panel connectivity and data integrity post-upgrade.
Detection guidance
Monitor admin panel audit logs for unusual state changes to payment methods, currencies, or carriers initiated by low-privilege user accounts. Look for logs showing enable/disable or delete actions performed by users whose roles should not permit such changes. Enable or increase verbosity of authorization failure logging in your Shopper configuration if available. Network-level detection is limited since the exploit uses legitimate authenticated sessions; log-based detection of policy violations is more effective.
Why prioritize this
Although the CVSS score is MEDIUM (6.5), prioritize patching in environments where checkout availability and pricing integrity are critical to business continuity. The vulnerability requires credential compromise but poses a direct denial-of-service risk with high business impact. Businesses operating on thin margins or with high-volume, time-sensitive sales should treat this as HIGH priority for immediate upgrade. Lower-urgency deployments (e.g., staging, testing, or low-traffic stores) can follow standard quarterly patch cycles, provided admin access is strictly controlled.
Risk score, explained
CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N yields a score of 6.5 (MEDIUM). Attack Vector is Network (reachable from the internet if the admin panel is exposed). Attack Complexity is Low (no user interaction or additional conditions required once authenticated). Privileges Required is Low (any admin user can trigger the action). Scope is Unchanged (impact is confined to the Shopper application itself). Confidentiality is None (no data exfiltration). Integrity is High (payment methods and currency settings can be maliciously altered or deleted). Availability is None (though the operational impact of disabling payments de facto causes service unavailability, the CVSS model focuses on configuration tampering rather than denial of service). The score reflects a serious but not critical flaw.
Frequently asked questions
Does this vulnerability allow unauthenticated attackers to disrupt my store?
No. An attacker must first obtain valid admin panel credentials. The vulnerability does not bypass login or authentication; it circumvents authorization checks *after* authentication. If your admin panel is not exposed to the internet and access is tightly controlled, the practical risk is lower. However, credential compromise, phishing, or insider threats remain real vectors.
Will upgrading to 2.8.0 require downtime or data migration?
Consult the Shopper vendor's release notes for your specific version. Most minor version upgrades (2.7.x to 2.8.0) are backward-compatible and require only a service restart. Some configurations may require a database schema update; test the upgrade in a staging environment first to estimate downtime and plan accordingly.
How can I reduce risk while waiting for an upgrade window?
Immediately audit admin user accounts and revoke credentials for any inactive or unnecessary users. Implement IP whitelisting on the admin panel URL if feasible. Enable multi-factor authentication (MFA) for all admin accounts. Monitor admin logs for suspicious state changes. Temporarily restrict admin panel access to trusted IP ranges or networks. These steps reduce the likelihood of credential compromise but do not fully mitigate the vulnerability.
Is this vulnerability being actively exploited in the wild?
This vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, and no public exploit code or active campaigns have been reported as of the publication date. However, the simplicity of exploitation means malicious insiders or low-privilege attackers with valid credentials can exploit it immediately upon access.
This analysis is based on vendor-published information and CVE data as of June 2026. Security organizations should verify patch availability and compatibility with their specific Shopper version and deployment architecture before applying updates. The vulnerability details and CVSS score are provided for informational purposes; SEC.co does not warrant the completeness or accuracy of vendor guidance and recommends consulting official Shopper documentation. No exploit code or weaponized proof-of-concept is provided in this advisory. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-12714MEDIUMRank Math SEO Plugin Unauthenticated Metadata Injection Vulnerability
- CVE-2025-52766MEDIUMMissing Authorization in Printeers Print & Ship – CVSS 6.5
- CVE-2025-53302MEDIUMMissing Authorization in Anton Shevchuk Constructor Framework
- CVE-2025-53346MEDIUMMissing Authorization in ThimPress Thim Core 2.3.3
- CVE-2026-10616MEDIUMAuthorization Bypass in nextlevelbuilder GoClaw Task Completion
- CVE-2026-10815MEDIUMAuthorization Bypass in Hostel Management System PHP
- CVE-2026-10855MEDIUMMISP Event Template Authorization Flaw – Patch Guidance
- CVE-2026-27351MEDIUMMissing Authorization in Sekander Badsha Crew HRM—Patch Guidance & Risk Analysis