Description
The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 4.1132. The plugin exposes two AJAX handlers that, when combined, allow any authenticated user to modify admin-level plugin settings. First, the wc_rb_get_fresh_nonce() function (registered via wp_ajax and wp_ajax_nopriv hooks) allows any user to generate a valid WordPress nonce for any arbitrary action name by simply providing the nonce_name parameter, with no capability checks. Second, the wc_rep_shop_settings_submission() function only verifies the nonce (wcrb_main_setting_nonce) but performs no current_user_can() capability check before updating 15+ plugin options via update_option(). This makes it possible for authenticated attackers, with subscriber-level access and above, to modify all plugin configuration settings including business name, email, logo, menu label, GDPR settings, and more by first minting a valid nonce via the wc_rb_get_fresh_nonce endpoint and then calling the settings submission handler.
Published: 2026-03-20
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Plugin Settings
Action: Patch Now
AI Analysis

Impact

A recent analysis of the RepairBuddy plugin for WordPress shows that any authenticated user can generate a WordPress nonce for any action without capability checks. The second AJAX endpoint verifies only the nonce and updates more than fifteen configuration options without verifying the current user's capability, a flaw that enables subscriber-level users or above to modify crucial settings such as business name, contact email, logo image, menu label, and GDPR compliance options. This missing authorization gives attackers the ability to alter configuration data and potentially mislead customers, disrupt service information, or set the stage for further attacks, although it does not provide a direct path to code execution or data exfiltration.

Affected Systems

The vulnerability affects installations of the RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress produced by sweetdaisy86. All plugin versions up to and including 4.1132 are susceptible; no additional sub-version restrictions are listed. Site owners running the plugin on any WordPress instance should review their configuration for unauthorized changes.

Risk and Exploitability

The CVSS score of 5.3 places the issue in the moderate severity range. No EPSS score is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires only an authenticated WordPress account with subscriber-level or higher capabilities, a low barrier for owners whose accounts may be weak or compromised. Because the flaw enables unilateral configuration changes, the risk is primarily to site integrity and availability rather than confidentiality or availability of source code. The straightforward attack path and lack of further checks make this a realistic concern for sites with loosely controlled user permissions.

Generated by OpenCVE AI on March 21, 2026 at 07:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest available version of the RepairBuddy plugin.
  • Restore any changed plugin settings to their intended values and review current system configuration.
  • Limit subscriber-level users to only necessary capabilities and consider removing the plugin if not needed.
  • Monitor AJAX requests and plugin option changes for abnormal activity.

Generated by OpenCVE AI on March 21, 2026 at 07:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Sweetdaisy86
Sweetdaisy86 repairbuddy – Repair Shop Crm & Booking Plugin For Wordpress
Wordpress
Wordpress wordpress
Vendors & Products Sweetdaisy86
Sweetdaisy86 repairbuddy – Repair Shop Crm & Booking Plugin For Wordpress
Wordpress
Wordpress wordpress

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 4.1132. The plugin exposes two AJAX handlers that, when combined, allow any authenticated user to modify admin-level plugin settings. First, the wc_rb_get_fresh_nonce() function (registered via wp_ajax and wp_ajax_nopriv hooks) allows any user to generate a valid WordPress nonce for any arbitrary action name by simply providing the nonce_name parameter, with no capability checks. Second, the wc_rep_shop_settings_submission() function only verifies the nonce (wcrb_main_setting_nonce) but performs no current_user_can() capability check before updating 15+ plugin options via update_option(). This makes it possible for authenticated attackers, with subscriber-level access and above, to modify all plugin configuration settings including business name, email, logo, menu label, GDPR settings, and more by first minting a valid nonce via the wc_rb_get_fresh_nonce endpoint and then calling the settings submission handler.
Title RepairBuddy <= 4.1132 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Modification via wc_rep_shop_settings_submission AJAX Action
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Sweetdaisy86 Repairbuddy – Repair Shop Crm & Booking Plugin For Wordpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:18:28.234Z

Reserved: 2026-03-04T20:38:56.613Z

Link: CVE-2026-3567

cve-icon Vulnrichment

Updated: 2026-03-23T18:29:37.537Z

cve-icon NVD

Status : Deferred

Published: 2026-03-21T00:16:28.567

Modified: 2026-04-22T21:32:08.360

Link: CVE-2026-3567

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:33:36Z

Weaknesses