Missing authorization in the RepairBuddy plugin allows attackers to exploit incorrectly configured access control settings, enabling actions on the WordPress site that should be prohibited. This flaw can let unauthorized users view or modify repair shop information, client data, or other protected resources. The weakness is a classic broken access control (CWE-862) situation where permissions are not properly enforced. Based on the description, it is inferred that the vulnerability arises from incorrectly configured user permissions within the plugin’s settings and that an attacker may need to be authenticated as a user with plugin access.

The affected product is the RepairBuddy computer-repair-shop plugin created by Ateeq Rafeeq. Versions from the earliest release up through 3.8213 are vulnerable. Any WordPress installation running any of those versions carries the risk.

The CVSS base score is 4.3, indicating a moderate impact when used in combination with other flaws. The EPSS score is less than 1%, suggesting that exploitation is unlikely but not impossible. The vulnerability is not listed in CISA's KEV catalog, but administrators should still evaluate the risk based on the plugin’s role and the data it handles. Based on the description, it is inferred that exploitation requires only that an attacker achieves interaction with the plugin’s management interface, and no special network privileges are needed beyond normal access to the site.