CVE-2026-3567
Received Received - Intake
Unauthorized Access in RepairBuddy Plugin Allows Admin Settings Modification

Publication date: 2026-03-21

Last updated on: 2026-03-21

Assigner: Wordfence

Description
The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 4.1132. The plugin exposes two AJAX handlers that, when combined, allow any authenticated user to modify admin-level plugin settings. First, the wc_rb_get_fresh_nonce() function (registered via wp_ajax and wp_ajax_nopriv hooks) allows any user to generate a valid WordPress nonce for any arbitrary action name by simply providing the nonce_name parameter, with no capability checks. Second, the wc_rep_shop_settings_submission() function only verifies the nonce (wcrb_main_setting_nonce) but performs no current_user_can() capability check before updating 15+ plugin options via update_option(). This makes it possible for authenticated attackers, with subscriber-level access and above, to modify all plugin configuration settings including business name, email, logo, menu label, GDPR settings, and more by first minting a valid nonce via the wc_rb_get_fresh_nonce endpoint and then calling the settings submission handler.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-21
Last Modified
2026-03-21
Generated
2026-06-16
AI Q&A
2026-03-21
EPSS Evaluated
2026-06-14
NVD
CVE-2026-3567
EUVD
EUVD-2026-13924
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
repairbuddy repair_shop_crm_and_booking_plugin to 4.1132 (inc)
repairbuddy repair_shop_crm_booking_plugin to 4.1132 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress affects all versions up to and including 4.1132. It involves unauthorized access through two AJAX handlers exposed by the plugin. First, the wc_rb_get_fresh_nonce() function allows any user, without proper capability checks, to generate a valid WordPress nonce for any action by providing a nonce_name parameter. Second, the wc_rep_shop_settings_submission() function verifies only the nonce but does not check user capabilities before updating over 15 plugin options.

By combining these two flaws, an authenticated user with subscriber-level access or higher can generate a valid nonce and then submit requests to modify admin-level plugin settings. These settings include sensitive business information such as business name, email, logo, menu label, GDPR settings, and more. Essentially, this allows low-privileged users to escalate their privileges within the plugin and change critical configuration without proper authorization.

Impact Analysis

This vulnerability can impact you by allowing unauthorized users with minimal access (subscriber-level or above) to modify important administrative settings of the RepairBuddy plugin. Such changes could include altering the business name, contact email, logo, menu labels, and GDPR-related settings.

The unauthorized modification of these settings can lead to misinformation being displayed to customers, disruption of business operations, and potential misuse of GDPR settings which could affect data privacy compliance. Attackers could also manipulate email addresses or other contact information to intercept communications or cause confusion.

Overall, this vulnerability allows privilege escalation within the plugin, undermining the integrity and trustworthiness of the repair shop's online booking and CRM system.

Compliance Impact

The vulnerability allows unauthorized users to modify GDPR settings within the plugin, which can directly impact compliance with data protection regulations such as GDPR.

If attackers change or disable GDPR-related configurations, it could lead to improper handling of personal data, failure to obtain valid consent, or incorrect privacy notices, thereby violating GDPR requirements.

While the CVE description does not explicitly mention HIPAA, any unauthorized modification of privacy or security settings in systems handling sensitive data could potentially affect compliance with regulations like HIPAA as well.

Therefore, this vulnerability poses a risk to maintaining regulatory compliance by enabling unauthorized changes to critical privacy and data protection settings.

Detection Guidance

This vulnerability involves unauthorized access to two AJAX handlers in the RepairBuddy plugin for WordPress, allowing authenticated users with subscriber-level access or above to modify admin-level plugin settings by exploiting nonce generation and submission endpoints.

To detect exploitation attempts on your system or network, you should monitor HTTP requests targeting the following AJAX endpoints:

  • wc_rb_get_fresh_nonce - This endpoint allows generation of a valid WordPress nonce for arbitrary actions without capability checks.
  • wc_rep_shop_settings_submission - This endpoint accepts nonce-verified requests to update plugin settings without verifying user capabilities.

You can detect suspicious activity by searching your web server logs or using network monitoring tools for POST requests to these AJAX handlers, especially those originating from authenticated users with low privileges.

Example commands to search Apache or Nginx logs for such requests include:

  • grep -i 'wc_rb_get_fresh_nonce' /var/log/apache2/access.log
  • grep -i 'wc_rep_shop_settings_submission' /var/log/apache2/access.log
  • For real-time monitoring, you can use:
  • tail -f /var/log/apache2/access.log | grep --line-buffered -i 'wc_rb_get_fresh_nonce\|wc_rep_shop_settings_submission'

Additionally, monitoring WordPress user activity logs for unexpected changes to plugin options or settings can help detect exploitation.

Mitigation Strategies

Immediate mitigation steps for this vulnerability include:

  • Update the RepairBuddy – Repair Shop CRM & Booking Plugin to a version later than 4.1132 where this issue is fixed.
  • If an update is not immediately possible, restrict access to the affected AJAX endpoints by limiting authenticated user roles that can access these handlers.
  • Implement additional server-side access controls or firewall rules to block suspicious requests targeting the vulnerable AJAX handlers.
  • Audit and monitor plugin settings for unauthorized changes, especially business name, email, logo, GDPR settings, and other configuration options.
  • Consider temporarily disabling the plugin if the risk of exploitation is high and no patch is available.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3567. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart