CVE-2026-47745 - Shopper payment, currency, and carrier authorization bypass
Shopper framework versions before 2.8.0 exposed admin-table inline toggles
and per-record actions for PaymentMethods, Currencies, and Carriers
without enforcing the corresponding write permission. A low-privilege
authenticated panel user could disable every payment method, alter or disable
the default currency, or disable carriers, causing checkout denial and pricing
integrity loss.
This recipe is separate from the critical Shopper RBAC recipe because the
review surface is different: settings tables, Filament actions, inline
ToggleColumn behavior, bulk actions, and checkout smoke tests. A clean PR
should prove the fixed version is installed and that table actions are hidden
or forbidden for roles that can view settings but cannot mutate them.
When to use it
Use this recipe when a Laravel Shopper deployment lets delegated admins or commerce operators manage payment, currency, carrier, shipping, or checkout configuration. It is designed for source-code remediation, high-impact configuration authorization review, payment/shipping integrity checks, and evidence that low-privilege users cannot mutate revenue-critical settings through direct Livewire or HTTP requests.
Inputs
shopper/frameworkversion, Composer lock state, payment/currency/carrier policies, admin roles, Livewire/settings components, and generated dependency reports.- Source paths for payment methods, currencies, carriers, shipping settings, checkout config, policy checks, custom admin overrides, routes, and tests.
- Regression fixtures for low-privilege users, authorized finance/admin users, direct mutation calls, tampered IDs, cross-scope settings changes, and expected denial/audit behavior.
- Boundary evidence: affected stores/tenants, payment provider credentials, checkout impact, audit logs, rollout owner, and operations review owner.
Affected versions
- Vulnerable package:
shopper/framework <2.8.0 - Fixed package:
shopper/framework 2.8.0 - Affected package manager: Composer
- Affected surfaces:
PaymentMethods,Currencies, andCarriersadmin tables; inline enable/disable toggles; edit, delete, and bulk actions - Required attacker capability: authenticated Shopper panel account without
access_settingor equivalent settings-write authority - Bug class: missing per-action authorization
Indicator-of-exposure
- The repository depends on, vendors, forks, or deploys
shopper/frameworkbefore2.8.0. - The Shopper admin panel exposes payment, currency, or carrier settings to authenticated roles that are not fully trusted store administrators.
- Local code customizes payment method, currency, carrier, shipping, checkout, Filament table, or settings authorization behavior.
- Filament
ToggleColumn,EditAction,DeleteAction, or bulk actions can mutate settings after only route-level or page-level authorization. - Storefront checkout, pricing, or shipping availability depends on settings values controlled by those admin tables.
Quick checks:
rg -n "shopper/framework|shopper/admin|PaymentMethods|PaymentMethod|Currencies|Currency|Carriers|Carrier|access_setting|ToggleColumn|EditAction|DeleteAction|BulkAction|Filament|is_enabled|checkout|shipping" .
composer show shopper/framework shopper/admin
composer why shopper/framework
rg -n "PaymentMethods|Currencies|Carriers|access_setting|ToggleColumn|EditAction|DeleteAction|BulkAction|is_enabled" composer.json composer.lock app config resources routes tests vendor . 2>/dev/null
Windows:
rg -n "shopper/framework|shopper/admin|PaymentMethods|PaymentMethod|Currencies|Currency|Carriers|Carrier|access_setting|ToggleColumn|EditAction|DeleteAction|BulkAction|Filament|is_enabled|checkout|shipping" .
composer show shopper/framework shopper/admin
composer why shopper/framework
rg -n "PaymentMethods|Currencies|Carriers|access_setting|ToggleColumn|EditAction|DeleteAction|BulkAction|is_enabled" composer.json composer.lock app config resources routes tests vendor .
Do not toggle live payment methods, currencies, or carriers during triage. Use isolated fixtures or a local test database only.
Remediation strategy
- Upgrade every controlled Shopper dependency, Composer lockfile, deployment
image, generated dependency report, and SBOM to
2.8.0+. - Verify all payment method, currency, and carrier settings mutations require
access_settingor a local administrator-equivalent settings-write permission. - Ensure inline toggles, edit actions, delete actions, and bulk actions are either hidden or forbidden for users that can view settings but cannot mutate them.
- Add regression tests for denied low-privilege table actions and allowed admin settings changes.
- Add checkout/pricing/shipping smoke tests so authorization hardening does not accidentally break legitimate storefront behavior.
- Review settings audit logs during the exposure window if untrusted panel users had access to affected versions.
The prompt
You are remediating CVE-2026-47745 / GHSA-fxqw-97cc-7g5c, a Shopper admin
authorization bypass where `PaymentMethods`, `Currencies`, and `Carriers`
tables expose inline toggles and per-record actions to authenticated users
without the required settings-write permission. Produce exactly one output:
- A reviewer-ready PR/change request that upgrades Shopper, enforces per-action
authorization on payment/currency/carrier settings, adds safe regression and
checkout smoke tests, refreshes generated artifacts, and documents operator
review, or
- TRIAGE.md if this repository does not control an affected Shopper admin
runtime, dependency, customization, or deployment.
## Rules
- Scope only CVE-2026-47745 / GHSA-fxqw-97cc-7g5c and directly related Shopper
payment method, currency, carrier, Filament table, settings authorization,
checkout, pricing, and shipping controls.
- Treat payment configuration, provider credentials, checkout logs, order data,
pricing rules, carrier configuration, admin sessions, audit logs, application
secrets, and database credentials as sensitive.
- Do not toggle live payment methods, alter production default currency,
disable carriers, run real payment captures, export orders, or print provider
secrets during validation.
- Do not remove settings authorization, audit logging, role checks, checkout
validation, or tests to make the advisory disappear.
- Do not auto-merge.
## Steps
1. Inventory all Shopper references in `composer.json`, `composer.lock`,
package constraints, Dockerfiles, deployment images, generated dependency
reports, SBOMs, settings routes, Filament pages/tables, payment/currency/
carrier resources, checkout code, shipping code, policies, gates, and local
forks or overrides.
2. Determine every resolved Shopper version. A target is vulnerable if
`shopper/framework` resolves below `2.8.0`.
3. Search for settings table mutations and customizations:
`PaymentMethods`, `PaymentMethod`, `Currencies`, `Currency`, `Carriers`,
`Carrier`, `ToggleColumn`, `EditAction`, `DeleteAction`, `BulkAction`,
`is_enabled`, `access_setting`, settings policies, Filament action
authorization, checkout, pricing, and shipping availability.
4. If the repository does not deploy Shopper admin settings code, stop with
`TRIAGE.md` listing checked files, external owner if known, and the required
fixed version.
5. Upgrade affected Shopper packages to `2.8.0+`. Refresh `composer.lock`,
container layers, generated dependency reports, SBOMs, deployment manifests,
and docs that pin or install Shopper.
6. Verify or patch per-action authorization:
- inline enable/disable toggles require `access_setting` or equivalent
settings-write authority;
- edit, delete, and bulk actions require settings-write authority before
mutation;
- view-only settings roles cannot mutate payment, currency, or carrier
state through direct action calls;
- route or page-level authorization does not replace action-level checks.
7. Add safe regression tests:
- unauthenticated users cannot reach settings mutations;
- low-privilege panel users and view-only settings users cannot toggle,
edit, delete, or bulk-update payment methods, currencies, or carriers;
- real settings admins can still perform intended actions;
- checkout, pricing, and shipping smoke tests pass with legitimate enabled
payment/currency/carrier fixtures;
- denied attempts are logged without leaking payment provider secrets,
checkout data, orders, sessions, or database details.
8. Add a PR body section named `CVE-2026-47745 operator actions` that states:
- Shopper versions before and after;
- whether local payment/currency/carrier settings customizations exist;
- which roles can mutate settings after the patch;
- whether unexpected payment-method disables, currency changes, carrier
disables, checkout failures, or pricing changes need review for the
exposure window;
- whether payment provider keys, webhooks, or store settings need audit
review;
- which validation commands passed.
9. Run available validation: Composer install/check-platform-reqs, lockfile
integrity, Laravel/PHP unit and feature tests, Filament/Livewire table tests,
checkout smoke tests, static analysis, lint, dependency/security scans, SBOM
refresh, and deployment rendering.
10. Use PR title:
`fix(sec): remediate CVE-2026-47745 in Shopper settings`.
## Stop conditions
- No affected Shopper package, admin panel, settings table, local fork,
deployment image, checkout path, or settings customization is controlled by
this repository.
- Shopper is owned by another application or platform team; name the owner and
required fixed version in `TRIAGE.md`.
- Upgrading to `2.8.0+` requires a broader Laravel/PHP migration or maintenance
window the agent cannot schedule.
- Verification would require changing production payment, currency, carrier,
checkout, order, or provider-secret state.
- Validation fails for unrelated pre-existing reasons; document those failures
instead of broadening scope.
Output contract
- A reviewer-ready PR or change request that upgrades Shopper, adds fail-closed authorization on payment/currency/carrier mutations, adds direct-call tests, and documents checkout/config review.
- Or a
TRIAGE.mdfile that lists inspected components/policies, owner, observed version, commerce-config boundary, required fix, and residual risk. - The output must include exact validation commands and must not change real payment/shipping settings, expose provider secrets, or weaken checkout controls.
Verification - what the reviewer looks for
- No controlled Composer lockfile, image, SBOM, generated report, or package
manifest resolves
shopper/framework <2.8.0. PaymentMethods,Currencies, andCarriersinline toggles and per-record actions require settings-write authority.- View-only or low-privilege panel users cannot mutate payment, currency, or carrier state through direct table action calls.
- Regression tests cover denied low-privilege actions, allowed admin settings actions, and legitimate checkout/pricing/shipping behavior.
- Operator notes cover payment-method, default-currency, carrier, checkout, and pricing review when untrusted panel users had access.
Watch for
- Updating the package but leaving local Filament table overrides on the old unsafe pattern.
- Hiding buttons in the UI while direct action calls remain authorized.
- Treating route or page authorization as enough for inline table mutations.
- Testing only one of payment methods, currencies, or carriers.
- Running checkout smoke tests with live payment credentials or real orders.
Related recipes
- Source code authz tenant boundary audit
- Source code secrets and data exposure audit
- OWASP Top 10 2026 audit
- NIST SSDF repository evidence check
References
- GitHub Advisory Database: https://github.com/advisories/GHSA-fxqw-97cc-7g5c
- Shopper advisory: https://github.com/shopperlabs/shopper/security/advisories/GHSA-fxqw-97cc-7g5c
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-47745
- Patch pull request: https://github.com/shopperlabs/shopper/pull/511