CVE-2024-12259 is a critical authorization bypass vulnerability identified in the CRM WordPress Plugin – RepairBuddy, affecting all versions up to and including 3.8120. The root cause is a missing authorization check in the AJAX handler wc_update_user_data, which is responsible for updating user email addresses. The plugin fails to properly verify the identity of the requesting user before allowing an email update. As a result, any authenticated user with at least subscriber-level privileges can change the email address of arbitrary users, including administrators. This unauthorized email change enables the attacker to initiate password reset processes for those accounts, effectively allowing account takeover. The vulnerability is remotely exploitable without user interaction and requires only low privileges to begin exploitation. The CVSS 3.1 base score is 8.8, reflecting the high impact on confidentiality, integrity, and availability, combined with low attack complexity and no user interaction needed. Although no public exploits have been reported yet, the vulnerability poses a significant risk to WordPress sites using this plugin, potentially leading to full site compromise, data theft, or further malicious activity.

The impact of CVE-2024-12259 is severe for organizations using the RepairBuddy CRM WordPress plugin. Attackers can escalate privileges from low-level subscriber accounts to administrator accounts by hijacking email addresses and resetting passwords. This leads to complete site takeover, allowing attackers to modify content, steal sensitive data, deploy malware, or disrupt services. Organizations relying on this plugin for customer relationship management risk exposure of confidential customer data and operational disruption. The vulnerability undermines trust in the affected websites and can result in reputational damage, regulatory penalties, and financial losses. Because WordPress powers a significant portion of websites globally, the scope of affected systems is broad, especially for sites that have not updated the plugin. The ease of exploitation and high impact on core security properties make this a critical threat to web infrastructure security.

To mitigate CVE-2024-12259, organizations should immediately update the RepairBuddy plugin to a patched version once released by the vendor. Until a patch is available, administrators should consider disabling or restricting access to the wc_update_user_data AJAX endpoint, for example by implementing web application firewall (WAF) rules that block unauthorized requests to this action. Additionally, review and tighten user role permissions to minimize subscriber-level accounts and monitor logs for suspicious email change or password reset activities. Employ multi-factor authentication (MFA) for administrator accounts to reduce the risk of account takeover. Regularly audit installed plugins for vulnerabilities and maintain an incident response plan to quickly address potential compromises. Finally, consider isolating critical WordPress administrative functions behind VPNs or IP whitelisting to reduce exposure.