CVE-2026-47743 - Shopper admin Livewire integrity and disclosure flaws

Shopper framework versions before 2.8.0 had three related admin-panel issues in Livewire components: unlocked public identifiers that enabled IDOR-style record targeting, a customer-create flow that round-tripped plaintext passwords through a hidden field and Livewire snapshot, and stored XSS via unescaped barcode rendering in the product view.

The correct fix is broader than a package bump. The repository needs the fixed Shopper release plus verification that local Livewire customizations lock model identifiers, never return plaintext credentials to the client, and escape or context-isolate any HTML-generating barcode or preview feature.

When to use it

Use this recipe when a Laravel/Shopper repository depends on shopper/framework or carries local Shopper admin Livewire customizations. It is most important for ecommerce/admin panels where support staff, operations users, tenants, marketplace staff, or integrations can edit customers, products, SKUs, barcodes, roles, or team data.

Use it to combine a package upgrade with code hygiene around Livewire hydration, credential handling, authorization, and rendered HTML. Do not use it to execute live XSS or tamper with production customer records.

Inputs

  • Composer manifests, composer.lock, local forks/overrides, Dockerfiles, deployment images, SBOMs, generated dependency reports, and docs that pin Shopper.
  • Admin Livewire components, public component properties, model identifiers, customer create/reset flows, hidden fields, password handling, product and barcode rendering, raw Blade HTML, and preview/print views.
  • Authorization model for admins, support, tenants, operations, integrations, and automation that can access the Shopper admin panel.
  • Evidence of whether plaintext passwords, Livewire snapshots, session data, customer records, order data, barcode values, or product metadata appear in DOM, logs, validation errors, or audit streams.
  • Existing validation commands for Composer, Laravel/PHP tests, Livewire component tests, static analysis, linting, SBOM refresh, and security scans.

Affected versions

  • Vulnerable package: shopper/framework <2.8.0
  • Fixed package: shopper/framework 2.8.0
  • Affected surfaces: admin Livewire components, customer create flow, product barcode rendering, and public Livewire component properties
  • Bug classes: IDOR, sensitive-data exposure, stored XSS

Indicator-of-exposure

  • The repository depends on, vendors, forks, or deploys shopper/framework before 2.8.0.
  • Shopper admin Livewire components expose public model identifiers or record ids without a locking mechanism.
  • Customer creation or reset flows round-trip plaintext passwords, secrets, or one-time values back to the browser through hidden fields or component state.
  • Product, SKU, barcode, or preview rendering uses raw HTML output or helper output inside {!! !!} blocks.
  • Untrusted or semi-trusted admin-panel users can edit products, customers, or team data.

Quick checks:

rg -n "shopper/framework|Livewire|#\\[Locked\\]|public \\$.*id|Hidden\\(|_password|password|DNS1D|getBarcodeHTML|\\{!!|barcode" .
composer show shopper/framework shopper/admin
composer why shopper/framework
rg -n "Customers/Create|Products/Show|RolePermission|Livewire|password|barcode|Hidden\\(" app config resources routes tests vendor . 2>/dev/null

Windows:

rg -n "shopper/framework|Livewire|#\\[Locked\\]|public \\$.*id|Hidden\\(|_password|password|DNS1D|getBarcodeHTML|\\{!!|barcode" .
composer show shopper/framework shopper/admin
composer why shopper/framework
rg -n "Customers/Create|Products/Show|RolePermission|Livewire|password|barcode|Hidden\\(" app config resources routes tests vendor .

Do not create live customer accounts with real passwords, trigger stored XSS in production browsers, or export customer/admin records during triage.

Remediation strategy

  • Upgrade every controlled Shopper dependency, lockfile, deployment image, and SBOM to 2.8.0+.
  • Lock Livewire model identifiers and any record-selector properties that must not be client-rewritable.
  • Remove plaintext password round-trips. Hash or process passwords on the server boundary and never send them back to the client, DOM, or Livewire snapshot.
  • Escape or structurally isolate barcode values before rendering and avoid raw HTML output for user-editable fields.
  • Add regression tests for record-id tampering, password handling, and barcode XSS so later customizations cannot silently reintroduce the same patterns.
  • Review audit logs, customer account creations, and admin activity if untrusted users had panel access to the vulnerable version.

The prompt

You are remediating CVE-2026-47743 / GHSA-hr9v-r8r2-hg7j, a high-severity
Shopper admin Livewire issue combining IDOR, plaintext password disclosure, and
stored XSS. Produce exactly one output:

- A reviewer-ready PR/change request that upgrades Shopper, locks exposed model
  identifiers, removes plaintext password round-trips, hardens barcode
  rendering, adds safe regression tests, refreshes generated artifacts, and
  documents operator review, or
- TRIAGE.md if this repository does not control an affected Shopper admin
  runtime, dependency, customization, or deployment.

## Rules

- Scope only CVE-2026-47743 / GHSA-hr9v-r8r2-hg7j and directly related
  Shopper/Livewire controls.
- Treat customer passwords, admin sessions, customer records, order data,
  product metadata, barcode values, audit logs, and database credentials as
  sensitive.
- Do not execute live XSS payloads, tamper with real customer ids, or create
  accounts with production passwords during validation.
- Do not log plaintext passwords, Livewire snapshots, session cookies, or
  customer data.
- Do not delete authorization or audit controls just to simplify the patch.
- Do not auto-merge.

## Steps

1. Inventory all repository-controlled Shopper references in Composer manifests,
   lockfiles, Dockerfiles, deployment images, SBOMs, generated dependency
   reports, and local forks or overrides.
2. Determine every resolved Shopper version. A target is vulnerable if
   `shopper/framework` resolves below `2.8.0`.
3. Search for local code patterns related to the advisory:
   `#[Locked]`, public Livewire model ids, hidden password fields, customer
   create flows, `DNS1DFacade::getBarcodeHTML()`, raw Blade HTML output,
   barcode rendering, and component property hydration.
4. If the repository does not control an affected Shopper admin panel, stop
   with `TRIAGE.md` listing checked files, external owner if known, and
   required fixed version.
5. Upgrade controlled Shopper packages to `2.8.0+`. Refresh `composer.lock`,
   image layers, SBOMs, dependency reports, and docs that pin the old version.
6. Lock record selectors and public identifiers that should not be rewritten by
   the browser. Ensure sensitive identifiers are not trusted solely because
   routing or component mount set them initially.
7. Remove password round-trips:
   - do not store plaintext passwords in hidden fields or component state;
   - hash or process passwords at the server action boundary;
   - ensure responses and snapshots do not contain plaintext credentials.
8. Harden rendering:
   - escape barcode or similar user-editable values before rendering;
   - avoid raw HTML output for untrusted fields;
   - prefer structured SVG/HTML generation that does not interpret event
     handlers or injected attributes.
9. Add regression tests that do not use exploit payloads:
   - client-side id tampering is rejected;
   - snapshots and rendered HTML do not contain plaintext passwords;
   - barcode rendering treats attacker-controlled values as data, not markup;
   - expected admin functionality still works for trusted roles.
10. Add a PR body section named `CVE-2026-47743 operator actions` that states:
    - Shopper versions before and after;
    - whether local Livewire customizations existed;
    - whether any customer passwords may have been exposed in DOM, logs, or
      snapshots;
    - whether suspicious record targeting or admin XSS activity needs review;
    - which validation commands passed.
11. Run available validation: Composer install, Laravel/PHP unit and feature
    tests, Livewire component tests, static analysis, lint, dependency/security
    scans, and SBOM refresh.
12. Use PR title:
    `fix(sec): remediate CVE-2026-47743 in Shopper admin`.

## Stop conditions

- No affected Shopper runtime, dependency, or admin customization is controlled
  by this repository.
- The deployment is owned by another team or vendor; document owner and
  required fixed version in `TRIAGE.md`.
- A safe fix would require broader framework migration outside repository
  ownership.
- Verification would require live customer-password exposure, live XSS
  execution, or production record tampering.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.

Verification - what the reviewer looks for

  • No controlled manifest, lockfile, image, or SBOM resolves shopper/framework <2.8.0.
  • Sensitive Livewire identifiers are locked or otherwise not client-rewritable.
  • Customer-password handling no longer returns plaintext values to the client or snapshot state.
  • Barcode or preview rendering escapes untrusted values and avoids raw unsafe output.
  • Regression tests cover tampering, disclosure, and rendering abuse paths.

Watch for

  • Fixing upstream package versions but leaving local Livewire overrides on the old unsafe pattern.
  • Replacing one hidden password field while another form still mirrors plaintext credentials into component state.
  • Escaping some barcode rendering paths while a second preview or print view still uses raw HTML.
  • Logging Livewire snapshots or validation errors that include sensitive fields.

Output contract

Return one of:

  • A reviewer-ready PR/change request that upgrades shopper/framework to 2.8.0+, locks sensitive Livewire identifiers, removes plaintext password round-trips, escapes or isolates barcode rendering, adds safe regression tests, refreshes generated artifacts, and documents operator review.
  • TRIAGE.md when no controlled affected Shopper runtime, dependency, customization, or deployment exists.

The output must list Shopper versions before/after, local Livewire customizations, identifiers locked, password fields removed from client state, rendering paths hardened, validation commands, and whether customer-password, record-targeting, or admin-XSS audit review is required. It must not create accounts with production passwords, execute live XSS, tamper with real records, or log snapshots, session cookies, customer data, or plaintext credentials.

References