Three related defects on admin Livewire components allowed data tampering, sensitive data disclosure, and stored XSS: IDOR via unlocked properties. Several Livewire components in the admin panel exposed Eloquent model identifiers as public properties without the #[Locked] attribute. An authenticated user could rewrite the wire payload from the browser to target any record id, bypassing the implicit scoping enforced by the page routing. Sensitive data echoed back through Hidden form …
The admin tables for PaymentMethods, Currencies and Carriers exposed inline toggles and per-record actions (enable, disable, edit, delete) that were rendered for any authenticated panel user without checking the corresponding per-action permission. A low-privilege user could: Disable every payment method on the store, blocking checkout. Disable or alter the default currency, changing displayed prices and the exchange rate basis. Disable carriers, breaking shipping rate computation at checkout. The impact is …
Sub-form Livewire components used in the product editor (Edit, Inventory, Seo, Shipping, Files) had no authorization on their store() method. Any authenticated panel user, regardless of role, could mutate any product's pricing, stock, SEO metadata, shipping dimensions, and attached media without holding edit_products. The affected components accepted the product ID as a public Livewire property without #[Locked], so an attacker could also target an arbitrary product by tampering with the …
Two distinct authorization defects in the team settings allowed any authenticated panel user to take over the RBAC system: Settings/Team/Index had no mount() authorization. Any authenticated user could load the page and use its public actions to create new roles and delete other users, including administrators. Settings/Team/RolePermission gated its write actions on the read-only view_users permission. Any user holding view_users could grant themselves or any other user arbitrary permissions, including …
Multiple Livewire components in the admin panel allowed an authenticated low-privilege user to mutate data without the required permission: Order detail Filament actions (cancel, mark paid, mark complete, capture payment, archive, start processing) were callable with read_orders only and did not require edit_orders. capturePayment could trigger an actual PSP capture. Order shipments table actions (mark delivered, edit tracking) were callable with browse_orders only. Sub-form Livewire components for products (Edit, Inventory, …