CVE-2026-3567

The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 4.1132. The plugin exposes two AJAX handlers that, when combined, allow any authenticated user to modify admin-level plugin settings. First, the wc rb get fresh nonce() function (registered via wp ajax and wp ajax nopriv hooks) allows any user to generate a valid WordPress nonce for any arbitrary action name by simply providing the nonce name parameter, with no capability checks. Second, the wc rep shop settings submission() function only verifies the nonce (wcrb main setting nonce) but performs no current user can() capability check before updating 15+ plugin options via update option(). This makes it possible for authenticated attackers, with subscriber-level access and above, to modify all plugin configuration settings including business name, email, logo, menu label, GDPR settings, and more by first minting a valid nonce via the wc rb get fresh nonce endpoint and then calling the settings submission handler.