CVE-2024-12259

Name of the Vulnerable Software and Affected Versions CRM WordPress Plugin – RepairBuddy versions up to 3.8120

Description The issue arises from the plugin not properly validating a user's identity before updating their email through the wc update user data AJAX action. This allows authenticated attackers with subscriber-level access and above to change arbitrary users' email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.

Recommendations For versions up to 3.8120, update to a version above 3.8120 to resolve the issue. As a temporary workaround, consider restricting access to the wc update user data AJAX action until a patch is available. Restrict access to the plugin's user management features to minimize the risk of exploitation.