EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in the Shopper headless e‑commerce admin panel (composer/shopper/framework) versions prior to 2.8.0. The flaws include authorization bypass and privilege escalation, insecure direct object reference, sensitive data exposure, and stored cross‑site scripting. An attacker with a low‑privilege, authenticated account can manipulate role permissions to gain full administrative control, delete legitimate users, and read or alter confidential customer data, including plaintext passwords. Additionally, crafted product barcodes can trigger XSS in admin browsers, enabling session hijacking. These weaknesses threaten data integrity, confidentiality, and operational continuity, potentially leading to regulatory breaches and loss of customer trust.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in the Shopper headless e‑commerce admin panel (composer/shopper/framework) versions prior to 2.8.0. The flaws include authorization bypass and privilege escalation, insecure direct object reference, sensitive data exposure, and stored cross‑site scripting. An attacker with a low‑privilege, authenticated account can manipulate role permissions to gain full administrative control, delete legitimate users, and read or alter confidential customer data, including plaintext passwords. Additionally, crafted product barcodes can trigger XSS in admin browsers, enabling session hijacking. These weaknesses threaten data integrity, confidentiality, and operational continuity, potentially leading to regulatory breaches and loss of customer trust.[emaillocker id="1283"]
• CVE-2026-47744 with a CVSS score of 9.9 – An authentication bypass in the team settings lets any logged‑in user create roles, delete administrators, and elevate privileges to full admin without additional permissions.
• CVE-2026-47743 with a CVSS score of 8.7 – Improperly protected Livewire component properties allow IDOR attacks, a hidden password field leaks plaintext credentials, and stored XSS in product barcodes lets attackers inject scripts that execute in admin browsers.
The combined impact of these vulnerabilities places the entire e‑commerce administration environment at critical risk, demanding immediate attention. If exploited, attackers can seize control of the platform, compromise customer credentials, and inject malicious code, leading to potential data breaches, financial loss, and erosion of brand reputation. Prompt executive action is essential to protect operational integrity and regulatory compliance.
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-c3qp-2ggw-xjg7
https://github.com/advisories/GHSA-hr9v-r8r2-hg7j