php · shopper/frameworkHeads-up

Shopper Framework: Missing permission checks on admin table actions (fixed in v2.8.0)

Admin tables for PaymentMethods, Currencies and Carriers exposed inline toggles and per-record actions without permission checks.

09 Jun 2026Read 1 minSeverity: schedule it

What changed

Admin tables for PaymentMethods, Currencies and Carriers exposed inline toggles and per-record actions without permission checks. Fixed in v2.8.0 by requiring matching permissions (edit_payment_methods, edit_currencies, edit_carriers).

Who it affects

Any authenticated panel user with low privileges could disable payment methods, alter default currency, or disable carriers, causing denial of checkout and pricing integrity loss.

What to do today

Upgrade to v2.8.0 using composer require shopper/admin:^2.8.

The trail

Collected→ Audited→ Written→ Published

Source

GitHub Advisory · shopper/framework

Shopper Framework: Missing permission checks on admin table actions (fixed in v2.8.0)

What changed

Who it affects

What to do today

More on shopper/framework

symfony/runtime: Incomplete CVE-2024-50340 fix allows argv injection via web SAPI

pheditor: OS Command Injection in Terminal Handler