A missing authorization bug in the WordPress RepairBuddy plugin allows an attacker to access and manipulate data and settings beyond their intended permissions. The flaw, classified as broken access control (CWE-862), means that users without adequate privileges can exploit the plugin’s security checks to view sensitive repair shop information or alter plugin configuration, compromising confidentiality and operational control. The vulnerability does not provide direct remote code execution but can undermine the integrity and availability of the repair workflow.

Installations of the Webful Creations RepairBuddy plugin for WordPress versions up through 4.1121, including all earlier releases, are vulnerable. Any WordPress site running a protected or unprotected instance of this plugin within that version range is at risk.

The CVSS score of 4.3 indicates moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting it is not widely exploited in the public threat landscape. The description does not detail authentication or access requirements; it is inferred that an attacker might exploit the broken access control by using a non-administrative account or through a public endpoint that bypasses proper checks. Once the plugin’s access controls are bypassed, the attacker may view or modify privileged data such as repair orders, customer information, or technical settings.