What is GHSA-fxqw-97cc-7g5c?

GHSA-fxqw-97cc-7g5c is a security advisory published by GitHub Security Advisories with Medium severity. Shopper: Missing per-action authorization on PaymentMethods, Currencies and Carriers admin tables

Which CVE IDs does GHSA-fxqw-97cc-7g5c cover?

GHSA-fxqw-97cc-7g5c covers the following CVE IDs: CVE-2026-47745. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-fxqw-97cc-7g5c?

GHSA-fxqw-97cc-7g5c has a CVSS v3 base score of 6.5, published by GitHub Security Advisories.

Which products are affected by GHSA-fxqw-97cc-7g5c?

GHSA-fxqw-97cc-7g5c affects 1 product, including: composer/shopper/framework:\u003c 2.8.0.

GHSA-fxqw-97cc-7g5cMediumCVSS 6.5

Shopper: Missing per-action authorization on PaymentMethods, Currencies and Carriers admin tables

Vendor

GitHub Security Advisories

Published

June 5, 2026

Last Modified

June 5, 2026

🔗 CVE IDs covered (1)

CVE-2026-47745 →

📋 Description

Impact

The admin tables for PaymentMethods, Currencies and Carriers exposed inline toggles and per-record actions (enable, disable, edit, delete) that were rendered for any authenticated panel user without checking the corresponding per-action permission. A low-privilege user could:

Disable every payment method on the store, blocking checkout.
Disable or alter the default currency, changing displayed prices and the exchange rate basis.
Disable carriers, breaking shipping rate computation at checkout.

The impact is a full denial of checkout and pricing integrity loss, reachable by any authenticated user.

Patches

Fixed in v2.8.0. Each toggle and per-record action now requires its matching permission (edit_payment_methods, edit_currencies, edit_carriers).

Upgrade via:

composer require shopper/admin:^2.8

Workarounds

None. Upgrade to v2.8.0.

🎯 Affected products1

composer/shopper/framework:< 2.8.0