{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/shopperlabs/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["framework"],"_cs_severities":["high"],"_cs_tags":["authorization-bypass","privilege-escalation","xss","web-application"],"_cs_type":"threat","_cs_vendors":["shopperlabs"],"content_html":"\u003cp\u003eThe Shopper framework, a Laravel e-commerce platform, was found to have multiple authorization bypass vulnerabilities within its Livewire admin components. An authenticated user with low privileges could exploit these flaws to modify order details, shipment information, product data, user roles, and payment configurations without the necessary permissions. Several public Eloquent model properties on Livewire components were also vulnerable to client-side ID tampering due to missing \u003ccode\u003e#[Locked]\u003c/code\u003e attributes. Additionally, a stored XSS vulnerability existed in the product barcode field. These vulnerabilities were addressed in version 2.8.0, released in May 2026. Exploitation of these vulnerabilities could lead to privilege escalation, data manipulation, and potential compromise of sensitive information within the e-commerce platform.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the Shopper framework admin panel with a low-privilege user account.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to an order detail page, such as the \u0026ldquo;Order Detail\u0026rdquo; Filament actions.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the missing authorization check to call actions like \u003ccode\u003ecancel\u003c/code\u003e, \u003ccode\u003emark paid\u003c/code\u003e, or \u003ccode\u003ecapture payment\u003c/code\u003e without \u003ccode\u003eedit_orders\u003c/code\u003e permission. The \u003ccode\u003ecapturePayment\u003c/code\u003e action could trigger a payment service provider (PSP) capture.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker accesses the \u003ccode\u003eSettings/Team/Index\u003c/code\u003e page, where user roles can be managed.\u003c/li\u003e\n\u003cli\u003eDue to the absence of \u003ccode\u003emount()\u003c/code\u003e authorization, the attacker can create new roles or delete other users, potentially elevating their own privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the stored XSS vulnerability in the product barcode field by injecting malicious JavaScript code.\u003c/li\u003e\n\u003cli\u003eWhen other administrators or users view the product details, the XSS payload is executed via \u003ccode\u003eDNS1DFacade::getBarcodeHTML()\u003c/code\u003e with \u003ccode\u003e{!! !!}\u003c/code\u003e, potentially leading to session hijacking or other malicious actions.\u003c/li\u003e\n\u003cli\u003eThe attacker can further exploit the lack of #[Locked] attributes to perform client-side ID tampering.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could allow an attacker to escalate privileges, modify orders and products, manipulate user roles, and inject malicious JavaScript code into the Shopper framework. This could lead to data breaches, financial losses, and compromise of sensitive customer information. The vulnerabilities impact any Shopper framework instance running a version prior to 2.8.0. If successful, an attacker could gain full control over the e-commerce platform, potentially affecting thousands of customers and businesses relying on the compromised system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade to Shopper framework version 2.8.0 or later to patch the authorization bypass and XSS vulnerabilities (Affected Packages).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Shopper Framework Settings Team Index Access Without Authentication\u0026rdquo; to detect unauthorized access attempts to the \u003ccode\u003eSettings/Team/Index\u003c/code\u003e page (Sigma rule).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Shopper Framework Product Barcode Stored XSS Attempt\u0026rdquo; to identify potential stored XSS attempts via the barcode field (Sigma rule).\u003c/li\u003e\n\u003cli\u003eReview and enforce strict role-based access controls (RBAC) throughout the application to prevent unauthorized data modification.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T16:35:00Z","date_published":"2026-05-18T16:35:00Z","id":"https://feed.craftedsignal.io/briefs/2026-05-shopper-framework-auth-bypass/","summary":"Multiple Livewire components in the Shopper framework admin panel allowed authenticated low-privilege users to bypass authorization and mutate data without the required permissions, leading to potential privilege escalation and cross-site scripting.","title":"Shopper Framework Authorization Bypass in Multiple Livewire Admin Components","url":"https://feed.craftedsignal.io/briefs/2026-05-shopper-framework-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Shopperlabs","version":"https://jsonfeed.org/version/1.1"}