CVE-2026-47745 - Shopper payment, currency, and carrier authorization bypass

Shopper framework versions before 2.8.0 exposed admin-table inline toggles and per-record actions for PaymentMethods, Currencies, and Carriers without enforcing the corresponding write permission. A low-privilege authenticated panel user could disable every payment method, alter or disable the default currency, or disable carriers, causing checkout denial and pricing integrity loss.

This recipe is separate from the critical Shopper RBAC recipe because the review surface is different: settings tables, Filament actions, inline ToggleColumn behavior, bulk actions, and checkout smoke tests. A clean PR should prove the fixed version is installed and that table actions are hidden or forbidden for roles that can view settings but cannot mutate them.

When to use it

Use this recipe when a Laravel Shopper deployment lets delegated admins or commerce operators manage payment, currency, carrier, shipping, or checkout configuration. It is designed for source-code remediation, high-impact configuration authorization review, payment/shipping integrity checks, and evidence that low-privilege users cannot mutate revenue-critical settings through direct Livewire or HTTP requests.

Inputs

  • shopper/framework version, Composer lock state, payment/currency/carrier policies, admin roles, Livewire/settings components, and generated dependency reports.
  • Source paths for payment methods, currencies, carriers, shipping settings, checkout config, policy checks, custom admin overrides, routes, and tests.
  • Regression fixtures for low-privilege users, authorized finance/admin users, direct mutation calls, tampered IDs, cross-scope settings changes, and expected denial/audit behavior.
  • Boundary evidence: affected stores/tenants, payment provider credentials, checkout impact, audit logs, rollout owner, and operations review owner.

Affected versions

  • Vulnerable package: shopper/framework <2.8.0
  • Fixed package: shopper/framework 2.8.0
  • Affected package manager: Composer
  • Affected surfaces: PaymentMethods, Currencies, and Carriers admin tables; inline enable/disable toggles; edit, delete, and bulk actions
  • Required attacker capability: authenticated Shopper panel account without access_setting or equivalent settings-write authority
  • Bug class: missing per-action authorization

Indicator-of-exposure

  • The repository depends on, vendors, forks, or deploys shopper/framework before 2.8.0.
  • The Shopper admin panel exposes payment, currency, or carrier settings to authenticated roles that are not fully trusted store administrators.
  • Local code customizes payment method, currency, carrier, shipping, checkout, Filament table, or settings authorization behavior.
  • Filament ToggleColumn, EditAction, DeleteAction, or bulk actions can mutate settings after only route-level or page-level authorization.
  • Storefront checkout, pricing, or shipping availability depends on settings values controlled by those admin tables.

Quick checks:

rg -n "shopper/framework|shopper/admin|PaymentMethods|PaymentMethod|Currencies|Currency|Carriers|Carrier|access_setting|ToggleColumn|EditAction|DeleteAction|BulkAction|Filament|is_enabled|checkout|shipping" .
composer show shopper/framework shopper/admin
composer why shopper/framework
rg -n "PaymentMethods|Currencies|Carriers|access_setting|ToggleColumn|EditAction|DeleteAction|BulkAction|is_enabled" composer.json composer.lock app config resources routes tests vendor . 2>/dev/null

Windows:

rg -n "shopper/framework|shopper/admin|PaymentMethods|PaymentMethod|Currencies|Currency|Carriers|Carrier|access_setting|ToggleColumn|EditAction|DeleteAction|BulkAction|Filament|is_enabled|checkout|shipping" .
composer show shopper/framework shopper/admin
composer why shopper/framework
rg -n "PaymentMethods|Currencies|Carriers|access_setting|ToggleColumn|EditAction|DeleteAction|BulkAction|is_enabled" composer.json composer.lock app config resources routes tests vendor .

Do not toggle live payment methods, currencies, or carriers during triage. Use isolated fixtures or a local test database only.

Remediation strategy

  • Upgrade every controlled Shopper dependency, Composer lockfile, deployment image, generated dependency report, and SBOM to 2.8.0+.
  • Verify all payment method, currency, and carrier settings mutations require access_setting or a local administrator-equivalent settings-write permission.
  • Ensure inline toggles, edit actions, delete actions, and bulk actions are either hidden or forbidden for users that can view settings but cannot mutate them.
  • Add regression tests for denied low-privilege table actions and allowed admin settings changes.
  • Add checkout/pricing/shipping smoke tests so authorization hardening does not accidentally break legitimate storefront behavior.
  • Review settings audit logs during the exposure window if untrusted panel users had access to affected versions.

The prompt

You are remediating CVE-2026-47745 / GHSA-fxqw-97cc-7g5c, a Shopper admin
authorization bypass where `PaymentMethods`, `Currencies`, and `Carriers`
tables expose inline toggles and per-record actions to authenticated users
without the required settings-write permission. Produce exactly one output:

- A reviewer-ready PR/change request that upgrades Shopper, enforces per-action
  authorization on payment/currency/carrier settings, adds safe regression and
  checkout smoke tests, refreshes generated artifacts, and documents operator
  review, or
- TRIAGE.md if this repository does not control an affected Shopper admin
  runtime, dependency, customization, or deployment.

## Rules

- Scope only CVE-2026-47745 / GHSA-fxqw-97cc-7g5c and directly related Shopper
  payment method, currency, carrier, Filament table, settings authorization,
  checkout, pricing, and shipping controls.
- Treat payment configuration, provider credentials, checkout logs, order data,
  pricing rules, carrier configuration, admin sessions, audit logs, application
  secrets, and database credentials as sensitive.
- Do not toggle live payment methods, alter production default currency,
  disable carriers, run real payment captures, export orders, or print provider
  secrets during validation.
- Do not remove settings authorization, audit logging, role checks, checkout
  validation, or tests to make the advisory disappear.
- Do not auto-merge.

## Steps

1. Inventory all Shopper references in `composer.json`, `composer.lock`,
   package constraints, Dockerfiles, deployment images, generated dependency
   reports, SBOMs, settings routes, Filament pages/tables, payment/currency/
   carrier resources, checkout code, shipping code, policies, gates, and local
   forks or overrides.
2. Determine every resolved Shopper version. A target is vulnerable if
   `shopper/framework` resolves below `2.8.0`.
3. Search for settings table mutations and customizations:
   `PaymentMethods`, `PaymentMethod`, `Currencies`, `Currency`, `Carriers`,
   `Carrier`, `ToggleColumn`, `EditAction`, `DeleteAction`, `BulkAction`,
   `is_enabled`, `access_setting`, settings policies, Filament action
   authorization, checkout, pricing, and shipping availability.
4. If the repository does not deploy Shopper admin settings code, stop with
   `TRIAGE.md` listing checked files, external owner if known, and the required
   fixed version.
5. Upgrade affected Shopper packages to `2.8.0+`. Refresh `composer.lock`,
   container layers, generated dependency reports, SBOMs, deployment manifests,
   and docs that pin or install Shopper.
6. Verify or patch per-action authorization:
   - inline enable/disable toggles require `access_setting` or equivalent
     settings-write authority;
   - edit, delete, and bulk actions require settings-write authority before
     mutation;
   - view-only settings roles cannot mutate payment, currency, or carrier
     state through direct action calls;
   - route or page-level authorization does not replace action-level checks.
7. Add safe regression tests:
   - unauthenticated users cannot reach settings mutations;
   - low-privilege panel users and view-only settings users cannot toggle,
     edit, delete, or bulk-update payment methods, currencies, or carriers;
   - real settings admins can still perform intended actions;
   - checkout, pricing, and shipping smoke tests pass with legitimate enabled
     payment/currency/carrier fixtures;
   - denied attempts are logged without leaking payment provider secrets,
     checkout data, orders, sessions, or database details.
8. Add a PR body section named `CVE-2026-47745 operator actions` that states:
   - Shopper versions before and after;
   - whether local payment/currency/carrier settings customizations exist;
   - which roles can mutate settings after the patch;
   - whether unexpected payment-method disables, currency changes, carrier
     disables, checkout failures, or pricing changes need review for the
     exposure window;
   - whether payment provider keys, webhooks, or store settings need audit
     review;
   - which validation commands passed.
9. Run available validation: Composer install/check-platform-reqs, lockfile
   integrity, Laravel/PHP unit and feature tests, Filament/Livewire table tests,
   checkout smoke tests, static analysis, lint, dependency/security scans, SBOM
   refresh, and deployment rendering.
10. Use PR title:
    `fix(sec): remediate CVE-2026-47745 in Shopper settings`.

## Stop conditions

- No affected Shopper package, admin panel, settings table, local fork,
  deployment image, checkout path, or settings customization is controlled by
  this repository.
- Shopper is owned by another application or platform team; name the owner and
  required fixed version in `TRIAGE.md`.
- Upgrading to `2.8.0+` requires a broader Laravel/PHP migration or maintenance
  window the agent cannot schedule.
- Verification would require changing production payment, currency, carrier,
  checkout, order, or provider-secret state.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.

Output contract

  • A reviewer-ready PR or change request that upgrades Shopper, adds fail-closed authorization on payment/currency/carrier mutations, adds direct-call tests, and documents checkout/config review.
  • Or a TRIAGE.md file that lists inspected components/policies, owner, observed version, commerce-config boundary, required fix, and residual risk.
  • The output must include exact validation commands and must not change real payment/shipping settings, expose provider secrets, or weaken checkout controls.

Verification - what the reviewer looks for

  • No controlled Composer lockfile, image, SBOM, generated report, or package manifest resolves shopper/framework <2.8.0.
  • PaymentMethods, Currencies, and Carriers inline toggles and per-record actions require settings-write authority.
  • View-only or low-privilege panel users cannot mutate payment, currency, or carrier state through direct table action calls.
  • Regression tests cover denied low-privilege actions, allowed admin settings actions, and legitimate checkout/pricing/shipping behavior.
  • Operator notes cover payment-method, default-currency, carrier, checkout, and pricing review when untrusted panel users had access.

Watch for

  • Updating the package but leaving local Filament table overrides on the old unsafe pattern.
  • Hiding buttons in the UI while direct action calls remain authorized.
  • Treating route or page authorization as enough for inline table mutations.
  • Testing only one of payment methods, currencies, or carriers.
  • Running checkout smoke tests with live payment credentials or real orders.

References