CVE-2026-47743: Shopper: Multiple data integrity and disclosure issues in admin Livewire components

Three related defects on admin Livewire components allowed data tampering, sensitive data disclosure, and stored XSS:

• IDOR via unlocked properties. Several Livewire components in the admin panel exposed Eloquent model identifiers as public properties without the #[Locked] attribute. An authenticated user could rewrite the wire payload from the browser to target any record id, bypassing the implicit scoping enforced by the page routing.
• Sensitive data echoed back through Hidden form field. Customers/Create::store() re-passed a Hidden _password form field straight into the create payload. The plaintext password was rendered into the HTML and transported through the Livewire snapshot in clear text, exposing credentials in the page DOM and in any logging that captures Livewire payloads.
• Stored XSS on product barcode. The product barcode field was rendered through DNS1DFacade::getBarcodeHTML() with {!! !!}. An attacker with edit_products permission could persist malicious payload in the barcode field that would execute in the browser of any admin user viewing that product, enabling session theft and privileged-action chaining.