CVE-2026-3567: CWE-862 Missing Authorization in sweetdaisy86 RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress
The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 4.1132. The plugin exposes two AJAX handlers that, when combined, allow any authenticated user to modify admin-level plugin settings. First, the wc_rb_get_fresh_nonce() function (registered via wp_ajax and wp_ajax_nopriv hooks) allows any user to generate a valid WordPress nonce for any arbitrary action name by simply providing the nonce_name parameter, with no capability checks. Second, the wc_rep_shop_settings_submission() function only verifies the nonce (wcrb_main_setting_nonce) but performs no current_user_can() capability check before updating 15+ plugin options via update_option(). This makes it possible for authenticated attackers, with subscriber-level access and above, to modify all plugin configuration settings including business name, email, logo, menu label, GDPR settings, and more by first minting a valid nonce via the wc_rb_get_fresh_nonce endpoint and then calling the settings submission handler.
AI Analysis
Technical Summary
The RepairBuddy WordPress plugin exposes two AJAX endpoints that together enable unauthorized modification of administrative plugin settings. The wc_rb_get_fresh_nonce() endpoint allows any user to generate a valid nonce for arbitrary actions without capability verification. The wc_rep_shop_settings_submission() endpoint accepts these nonces and updates over 15 plugin options without checking if the user has the necessary permissions. This missing authorization (CWE-862) permits authenticated users with minimal privileges to escalate their control over plugin configuration.
Potential Impact
An attacker with any authenticated user role, including subscriber-level, can alter critical plugin settings that typically require administrative privileges. This can lead to unauthorized changes in business information, branding, menu labels, and privacy settings, potentially undermining the integrity and trustworthiness of the affected website's repair shop CRM and booking functionalities. There is no indication of direct confidentiality or availability impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict user roles to trusted individuals only and consider disabling or limiting access to the affected plugin's AJAX endpoints if possible. Monitor vendor channels for updates and apply patches promptly once released.
CVE-2026-3567: CWE-862 Missing Authorization in sweetdaisy86 RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress
Description
The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 4.1132. The plugin exposes two AJAX handlers that, when combined, allow any authenticated user to modify admin-level plugin settings. First, the wc_rb_get_fresh_nonce() function (registered via wp_ajax and wp_ajax_nopriv hooks) allows any user to generate a valid WordPress nonce for any arbitrary action name by simply providing the nonce_name parameter, with no capability checks. Second, the wc_rep_shop_settings_submission() function only verifies the nonce (wcrb_main_setting_nonce) but performs no current_user_can() capability check before updating 15+ plugin options via update_option(). This makes it possible for authenticated attackers, with subscriber-level access and above, to modify all plugin configuration settings including business name, email, logo, menu label, GDPR settings, and more by first minting a valid nonce via the wc_rb_get_fresh_nonce endpoint and then calling the settings submission handler.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The RepairBuddy WordPress plugin exposes two AJAX endpoints that together enable unauthorized modification of administrative plugin settings. The wc_rb_get_fresh_nonce() endpoint allows any user to generate a valid nonce for arbitrary actions without capability verification. The wc_rep_shop_settings_submission() endpoint accepts these nonces and updates over 15 plugin options without checking if the user has the necessary permissions. This missing authorization (CWE-862) permits authenticated users with minimal privileges to escalate their control over plugin configuration.
Potential Impact
An attacker with any authenticated user role, including subscriber-level, can alter critical plugin settings that typically require administrative privileges. This can lead to unauthorized changes in business information, branding, menu labels, and privacy settings, potentially undermining the integrity and trustworthiness of the affected website's repair shop CRM and booking functionalities. There is no indication of direct confidentiality or availability impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict user roles to trusted individuals only and consider disabling or limiting access to the affected plugin's AJAX endpoints if possible. Monitor vendor channels for updates and apply patches promptly once released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-03-04T20:38:56.613Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69bdda57b462d409683a8c35
Added to database: 3/20/2026, 11:37:59 PM
Last enriched: 4/9/2026, 11:35:39 AM
Last updated: 5/4/2026, 2:01:10 PM
Views: 47
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.