CVE-2026-3567
Unauthorized Access in RepairBuddy Plugin Allows Admin Settings Modification
Publication date: 2026-03-21
Last updated on: 2026-03-21
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| repairbuddy | repair_shop_crm_and_booking_plugin | to 4.1132 (inc) |
| repairbuddy | repair_shop_crm_booking_plugin | to 4.1132 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the RepairBuddy β Repair Shop CRM & Booking Plugin for WordPress affects all versions up to and including 4.1132. It involves unauthorized access through two AJAX handlers exposed by the plugin. First, the wc_rb_get_fresh_nonce() function allows any user, without proper capability checks, to generate a valid WordPress nonce for any action by providing a nonce_name parameter. Second, the wc_rep_shop_settings_submission() function verifies only the nonce but does not check user capabilities before updating over 15 plugin options.
By combining these two flaws, an authenticated user with subscriber-level access or higher can generate a valid nonce and then submit requests to modify admin-level plugin settings. These settings include sensitive business information such as business name, email, logo, menu label, GDPR settings, and more. Essentially, this allows low-privileged users to escalate their privileges within the plugin and change critical configuration without proper authorization.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized users with minimal access (subscriber-level or above) to modify important administrative settings of the RepairBuddy plugin. Such changes could include altering the business name, contact email, logo, menu labels, and GDPR-related settings.
The unauthorized modification of these settings can lead to misinformation being displayed to customers, disruption of business operations, and potential misuse of GDPR settings which could affect data privacy compliance. Attackers could also manipulate email addresses or other contact information to intercept communications or cause confusion.
Overall, this vulnerability allows privilege escalation within the plugin, undermining the integrity and trustworthiness of the repair shop's online booking and CRM system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized users to modify GDPR settings within the plugin, which can directly impact compliance with data protection regulations such as GDPR.
If attackers change or disable GDPR-related configurations, it could lead to improper handling of personal data, failure to obtain valid consent, or incorrect privacy notices, thereby violating GDPR requirements.
While the CVE description does not explicitly mention HIPAA, any unauthorized modification of privacy or security settings in systems handling sensitive data could potentially affect compliance with regulations like HIPAA as well.
Therefore, this vulnerability poses a risk to maintaining regulatory compliance by enabling unauthorized changes to critical privacy and data protection settings.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized access to two AJAX handlers in the RepairBuddy plugin for WordPress, allowing authenticated users with subscriber-level access or above to modify admin-level plugin settings by exploiting nonce generation and submission endpoints.
To detect exploitation attempts on your system or network, you should monitor HTTP requests targeting the following AJAX endpoints:
- wc_rb_get_fresh_nonce - This endpoint allows generation of a valid WordPress nonce for arbitrary actions without capability checks.
- wc_rep_shop_settings_submission - This endpoint accepts nonce-verified requests to update plugin settings without verifying user capabilities.
You can detect suspicious activity by searching your web server logs or using network monitoring tools for POST requests to these AJAX handlers, especially those originating from authenticated users with low privileges.
Example commands to search Apache or Nginx logs for such requests include:
- grep -i 'wc_rb_get_fresh_nonce' /var/log/apache2/access.log
- grep -i 'wc_rep_shop_settings_submission' /var/log/apache2/access.log
- For real-time monitoring, you can use:
- tail -f /var/log/apache2/access.log | grep --line-buffered -i 'wc_rb_get_fresh_nonce\|wc_rep_shop_settings_submission'
Additionally, monitoring WordPress user activity logs for unexpected changes to plugin options or settings can help detect exploitation.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps for this vulnerability include:
- Update the RepairBuddy β Repair Shop CRM & Booking Plugin to a version later than 4.1132 where this issue is fixed.
- If an update is not immediately possible, restrict access to the affected AJAX endpoints by limiting authenticated user roles that can access these handlers.
- Implement additional server-side access controls or firewall rules to block suspicious requests targeting the vulnerable AJAX handlers.
- Audit and monitor plugin settings for unauthorized changes, especially business name, email, logo, GDPR settings, and other configuration options.
- Consider temporarily disabling the plugin if the risk of exploitation is high and no patch is available.