CVE-2026-3567

Name of the Vulnerable Software and Affected Versions RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress versions through 4.1132

Description The RepairBuddy plugin for WordPress is susceptible to unauthorized access. The plugin has AJAX handlers that, when used together, permit any authenticated user to change admin-level plugin settings. The wc rb get fresh nonce() function, accessible via wp ajax and wp ajax nopriv hooks, allows users to create a valid WordPress nonce for any action name without capability checks. The wc rep shop settings submission() function verifies the nonce (wcrb main setting nonce) but does not confirm user capabilities before updating over fifteen plugin options using update option(). This allows authenticated attackers with subscriber-level access or higher to modify all plugin configuration settings, including business name, email, logo, menu label, and GDPR settings, by generating a valid nonce and then calling the settings submission handler.

Recommendations Versions prior to and including 4.1132 should be updated. As a temporary workaround, consider restricting access to the wc rb get fresh nonce endpoint. Avoid using the wcrb main setting nonce parameter in the wc rep shop settings submission function until the issue is resolved.