Authorization Bypass Through User-Controlled Key Affecting shopper/framework package, versions <2.8.0


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.03% (9th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Authorization Bypass Through User-Controlled Key vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-PHP-SHOPPERFRAMEWORK-17660414
  • published27 Jun 2026
  • disclosed5 Jun 2026
  • creditUnknown

Introduced: 5 Jun 2026

NewCVE-2026-47743  (opens in a new tab)
CWE-639  (opens in a new tab)
CWE-79  (opens in a new tab)

How to fix?

Upgrade shopper/framework to version 2.8.0 or higher.

Overview

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the admin Livewire components, where improper handling of model identifiers, hidden form fields, and barcode rendering occurs. An attacker can access sensitive information, manipulate data, or execute arbitrary scripts in the context of an admin user by modifying wire payloads, injecting malicious content into the barcode field, or exploiting improper exposure of plaintext passwords.

CVSS Base Scores

version 4.0
version 3.1