Shopper Headless E-commerce Payment Methods, Currencies, and Carriers Authorization Bypass Vulnerability

An authorization bypass vulnerability has been identified in Shopper, a headless e-commerce admin panel, in versions prior to 2.8.0. The vulnerability exists in the admin tables for PaymentMethods, Currencies, and Carriers, where inline toggles and per-record actions (enable, disable, edit, delete) were available to all authenticated users. This lack of proper authorization checks allowed low-privilege users to disable payment methods, alter default currencies, or disable carriers, leading to a complete denial of checkout and disruption of pricing integrity.

Impact

Exploitation of this vulnerability allowed low-privilege users to disable all payment methods, disrupt the default currency settings, or disable shipping carriers, causing a total breakdown of the checkout process and integrity of pricing.

Remediation

Users are advised to upgrade to Shopper version 2.8.0 or later, where this vulnerability has been fixed. Instructions for upgrading are available on the GitHub advisory page.