CVE-2026-47745

Description

## Impact The admin tables for `PaymentMethods`, `Currencies` and `Carriers` exposed inline toggles and per-record actions (enable, disable, edit, delete) that were rendered for any authenticated panel user without checking the corresponding per-action permission. A low-privilege user could: - Disable every payment method on the store, blocking checkout. - Disable or alter the default currency, changing displayed prices and the exchange rate basis. - Disable carriers, breaking shipping rate computation at checkout. The impact is a full denial of checkout and pricing integrity loss, reachable by any authenticated user. ## Patches Fixed in `v2.8.0`. Each toggle and per-record action now requires its matching permission (`edit_payment_methods`, `edit_currencies`, `edit_carriers`). Upgrade via: ```bash composer require shopper/admin:^2.8 ``` ## Workarounds None. Upgrade to `v2.8.0`.

How to fix CVE-2026-47745

To remediate CVE-2026-47745, upgrade the affected package to a fixed version below.

• —upgrade to 2.8.0 or later

Is CVE-2026-47745 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-47745.

Affected packages (1)

• from 0, < 2.8.0

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-47745
• PATCHgithub.com/shopperlabs/shopper
• WEBgithub.com/shopperlabs/shopper/pull/511
• WEBgithub.com/shopperlabs/shopper/security/advisories/GHSA-fxqw-97cc-7g5c