The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress up to version 4.1132 contains a missing authorization vulnerability (CWE-862) identified as CVE-2026-3567. The vulnerability stems from two AJAX handlers exposed by the plugin. The first handler, wc_rb_get_fresh_nonce(), is registered for both authenticated and unauthenticated users (via wp_ajax and wp_ajax_nopriv hooks) and allows any user to generate a valid WordPress nonce for any arbitrary action name by supplying a nonce_name parameter. Critically, this function performs no capability checks, enabling low-privilege users to mint valid nonces. The second handler, wc_rep_shop_settings_submission(), accepts settings updates and verifies only the nonce (wcrb_main_setting_nonce) but does not check the current user's capabilities using current_user_can(). This handler updates over 15 plugin options via update_option(), including sensitive settings like business name, email, logo, menu labels, and GDPR configurations. By chaining these two flaws, an authenticated user with minimal privileges (subscriber or higher) can generate a valid nonce and submit unauthorized changes to admin-level plugin settings. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network. The CVSS 3.1 base score is 5.3 (medium), reflecting the lack of confidentiality or availability impact but acknowledging the integrity impact and ease of exploitation. No patches or known exploits are currently documented, but the issue poses a significant risk to the integrity of plugin configurations and potentially to business operations relying on these settings.

The primary impact of CVE-2026-3567 is the unauthorized modification of critical plugin settings by low-privilege authenticated users. This can lead to altered business information, misleading contact details, tampered branding elements such as logos, and incorrect GDPR compliance settings. Such changes can disrupt customer interactions, damage brand reputation, and potentially lead to regulatory non-compliance. While the vulnerability does not directly expose sensitive data or cause denial of service, the integrity compromise can facilitate further attacks or social engineering by presenting falsified information. Organizations relying on the RepairBuddy plugin for CRM and booking functions may experience operational disruptions or loss of customer trust. Additionally, attackers could leverage the altered settings to embed malicious links or redirect users, increasing the risk of phishing or malware distribution. The vulnerability's exploitation requires only subscriber-level access, which is commonly granted to registered users, increasing the attack surface. Given the widespread use of WordPress and the plugin's niche in repair shop management, the threat affects both small businesses and larger enterprises using this solution.

To mitigate CVE-2026-3567, organizations should immediately update the RepairBuddy plugin to a patched version once available from the vendor. In the absence of an official patch, administrators should restrict user roles to minimize the number of authenticated users with subscriber or higher privileges. Implement strict role-based access controls and audit user accounts regularly to detect unauthorized privilege escalations. As a temporary workaround, disable or restrict access to the vulnerable AJAX endpoints by using web application firewall (WAF) rules or custom code snippets that verify user capabilities before processing requests. Monitor plugin settings for unauthorized changes and maintain regular backups of configuration data to enable quick restoration. Additionally, consider isolating the WordPress environment and limiting plugin usage to trusted users only. Engage with the plugin vendor to encourage timely patch releases and subscribe to vulnerability advisories for ongoing updates. Finally, educate users about the risks of unauthorized access and enforce strong authentication mechanisms to reduce the likelihood of compromised accounts.